github.com/siyuan-note/siyuan/kernel (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package github.com/siyuan-note/siyuan/kernel, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (51)
CVE-2026-32938 — CVSS 9.9 (critical): SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the /api/lute/html2BlockDOM on the desktop copies local…
CVE-2026-33669 — CVSS 9.8 (critical): SiYuan is a personal knowledge management system. Prior to version 3.6.2, document IDs were retrieved via the /api/file/readDir interface…
CVE-2026-32767 — CVSS 9.8 (critical): SiYuan is a personal knowledge management system. Versions 3.6.0 and below contain an authorization bypass vulnerability in the…
CVE-2026-33670 — CVSS 9.8 (critical): SiYuan is a personal knowledge management system. Prior to version 3.6.2, the /api/file/readDir interface was used to traverse and retrieve…
CVE-2024-55660 — CVSS 9.8 (critical): SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's `/api/template/renderSprig` endpoint is vulnerable to…
CVE-2026-34449 — CVSS 9.6 (critical): SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution (RCE) on…
CVE-2026-44670: SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the kernel stores Attribute View (AV / database) names…
CVE-2026-44588: SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, he tooltip mouseover handler in app/src/block/popover.ts…
CVE-2026-29183 — CVSS 9.3 (critical): SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflected XSS vulnerability exists in the…
CVE-2026-32940 — CVSS 9.3 (critical): SiYuan is a personal knowledge management system. In versions 3.6.0 and below, SanitizeSVG has an incomplete blocklist — it blocks…
CVE-2026-30869 — CVSS 9.3 (critical): SiYuan is a personal knowledge management system. Prior to 3.5.10, a path traversal vulnerability in the /export endpoint allows an…
CVE-2025-21609 — CVSS 9.1 (critical): SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion…
CVE-2026-25539 — CVSS 9.1 (critical): SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest…
CVE-2026-45375 — CVSS 9.0 (critical): SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar (community marketplace) renders the name and…
CVE-2026-33066 — CVSS 9.0 (critical): SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the backend renderREADME function uses lute.New() without…
CVE-2026-39846 — CVSS 9.0 (critical): SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another user can trigger remote code execution…
CVE-2026-34448 — CVSS 9.0 (critical): SiYuan is a personal knowledge management system. Prior to version 3.6.2, an attacker who can place a malicious URL in an Attribute View…
CVE-2026-32751 — CVSS 9.0 (critical): SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the mobile file tree (MobileFiles.ts) renders notebook names…
CVE-2026-33067 — CVSS 9.0 (critical): SiYuan is a personal knowledge management system. Versions 3.6.0 and below render package metadata fields (displayName, description) using…
CVE-2026-29073 — CVSS 8.8 (high): SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only…
CVE-2026-34585 — CVSS 8.6 (high): SiYuan is a personal knowledge management system. Prior to version 3.6.2, a vulnerability allows crafted block attribute values to bypass…
CVE-2026-40318 — CVSS 8.5 (high): SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint…
CVE-2026-32110 — CVSS 8.3 (high): SiYuan is a personal knowledge management system. Prior to 3.6.0, the /api/network/forwardProxy endpoint allows authenticated users to make…
CVE-2026-40259 — CVSS 8.1 (high): SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, the /api/av/removeUnusedAttributeView endpoint…
CVE-2025-67488 — CVSS 7.8 (high): SiYuan is self-hosted, open source personal knowledge management software. Versions 0.0.0-20251202123337-6ef83b42c7ce and below contain…
CVE-2026-32749 — CVSS 7.6 (high): SiYuan is a personal knowledge management system. In versions 3.6.0 and below, POST /api/import/importSY and POST /api/import/importZipMd…
CVE-2024-55657 — CVSS 7.5 (high): SiYuan is a personal knowledge management system. Prior to version 3.1.16, an arbitrary file read vulnerability exists in Siyuan's…
CVE-2024-55658 — CVSS 7.5 (high): SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's /api/export/exportResources endpoint is vulnerable to…
CVE-2026-23850 — CVSS 7.5 (high): SiYuan is a personal knowledge management system. In versions prior to 3.5.4, the markdown feature allows unrestricted server side…
CVE-2026-25992 — CVSS 7.5 (high): SiYuan is a personal knowledge management system. Prior to 3.5.5, the /api/file/getFile endpoint uses case-sensitive string equality checks…
CVE-2026-32815 — CVSS 7.5 (high): SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the WebSocket endpoint (/ws) allows unauthenticated…
CVE-2026-33203 — CVSS 7.5 (high): SiYuan is a personal knowledge management system. Prior to version 3.6.2, the SiYuan kernel WebSocket server accepts unauthenticated…
CVE-2026-33476 — CVSS 7.5 (high): SiYuan is a personal knowledge management system. Prior to version 3.6.2, the Siyuan kernel exposes an unauthenticated file-serving…
CVE-2026-34453 — CVSS 7.5 (high): SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks from…
CVE-2026-45371: SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan publish-mode Reader can mutate Conf and SQL index via…
CVE-2026-30926 — CVSS 7.1 (high): SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of…
CVE-2026-41894: SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, the fix for CVE-2026-30869 only added a denylist check…
CVE-2026-32747 — CVSS 6.8 (medium): SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the globalCopyFiles API eads source files using…
CVE-2026-33194 — CVSS 6.8 (medium): SiYuan is a personal knowledge management system. Prior to version 3.6.2, the `IsSensitivePath()` function in `kernel/util/path.go` uses a…
CVE-2026-23851 — CVSS 6.5 (medium): SiYuan is a personal knowledge management system. Versions prior to 3.5.4 contain a logic vulnerability in the /api/file/globalCopyFiles…
CVE-2026-32704 — CVSS 6.5 (medium): SiYuan is a personal knowledge management system. Prior to 3.6.1, POST /api/template/renderSprig lacks model.CheckAdminRole, allowing any…
CVE-2026-40107 — CVSS 6.5 (medium): SiYuan is a personal knowledge management system. Prior to 3.6.4, SiYuan configures Mermaid.js with securityLevel: "loose" and htmlLabels…
CVE-2026-34605 — CVSS 6.1 (medium): SiYuan is a personal knowledge management system. From version 3.6.0 to before version 3.6.2, the SanitizeSVG function introduced in…
CVE-2026-31809 — CVSS 6.1 (medium): SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) checks href attributes for the…
CVE-2026-23847 — CVSS 6.1 (medium): SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in…
CVE-2026-23645 — CVSS 6.1 (medium): SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS)…
CVE-2026-31807 — CVSS 6.1 (medium): SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) blocks dangerous elements…
CVE-2024-55659 — CVSS 5.4 (medium): SiYuan is a personal knowledge management system. Prior to version 3.1.16, the `/api/asset/upload` endpoint in Siyuan is vulnerable to both…
CVE-2026-40922 — CVSS 5.4 (medium): SiYuan is an open-source personal knowledge management system. In versions 3.6.1 through 3.6.3, a prior fix for XSS in bazaar README…
CVE-2026-45147 — CVSS 4.3 (medium): SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, POST /api/tag/getTag is registered with model.CheckAuth…
CVE-2026-45148 — CVSS 4.3 (medium): SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, broken access control in the searchAsset, searchTag…