| CVE-2026-44670 |
critical |
— |
9.5 |
|
|
|
15d ago |
SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCE |
| CVE-2026-44588 |
critical |
— |
9.5 |
|
|
|
15d ago |
SiYuan: Electron Renderer RCE via decodeURIComponent-driven tooltip XSS in aria-label sink (incomplete fix for CVE-2026-34585) |
| CVE-2026-45375 |
critical |
9.0 |
9.0 |
|
|
|
15d ago |
SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution |
| CVE-2026-45371 |
high |
— |
8.0 |
|
|
|
15d ago |
SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs |
| CVE-2026-45148 |
medium |
4.3 |
4.3 |
|
|
|
15d ago |
SiYuan has broken access control in `/api/search/{searchAsset,searchTag,searchWidget,searchTemplate}` publish-mode |
| CVE-2026-45147 |
medium |
4.3 |
4.3 |
|
|
|
15d ago |
SiYuan: Broken access control in `/api/tag/getTag` — Reader role can mutate `Conf.Tag.Sort` and persist to disk |