Package impact

Go / github.com/siyuan-note/siyuan/kernel

critical high medium low unknown

0

KEV Has exploit

CVE	Severity	CVSS	Risk	Flags	OS	Vendor	Published	Description
CVE-2026-44670	critical	—	9.5				15d ago	SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCE
CVE-2026-44588	critical	—	9.5				15d ago	SiYuan: Electron Renderer RCE via decodeURIComponent-driven tooltip XSS in aria-label sink (incomplete fix for CVE-2026-34585)
CVE-2026-45375	critical	9.0	9.0				15d ago	SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution
CVE-2026-45371	high	—	8.0				15d ago	SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs
CVE-2026-23850	high	7.5	7.5				4mo ago	SiYuan vulnerable to Arbitrary file Read / SSRF in github.com/siyuan-note/siyuan/kernel
CVE-2026-45148	medium	4.3	4.3				15d ago	SiYuan has broken access control in `/api/search/{searchAsset,searchTag,searchWidget,searchTemplate}` publish-mode
CVE-2026-45147	medium	4.3	4.3				15d ago	SiYuan: Broken access control in `/api/tag/getTag` — Reader role can mutate `Conf.Tag.Sort` and persist to disk
CVE-2026-41894	unknown	—	—				1mo ago	SiYuan: Path Traversal via Double URL Encoding in `/export/` Endpoint (Incomplete Fix Bypass for CVE-2026-30869)
CVE-2026-40922	unknown	—	—				2mo ago	SiYuan has incomplete fix for CVE-2026-33066: XSS
CVE-2026-40318	unknown	—	—				2mo ago	SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView`
CVE-2026-40259	unknown	—	—				2mo ago	SiYuan: Publish Reader Can Arbitrarily Delete Attribute View Files via `/api/av/removeUnusedAttributeView`
CVE-2026-40107	unknown	—	—				2mo ago	SiYuan Affected by Zero-Click NTLM Hash Theft and Blind SSRF via Mermaid Diagram Rendering
CVE-2026-39846	unknown	—	—				2mo ago	SiYuan: Remote Code Execution in the Electron desktop client via stored XSS in synced table captions
CVE-2026-34605	unknown	—	—				2mo ago	SiYuan vulnerable to reflected XSS via SVG namespace prefix bypass in SanitizeSVG (getDynamicIcon, unauthenticated)
CVE-2026-34585	unknown	—	—				2mo ago	SiYuan Desktop: Stored XSS in imported .sy.zip content leads to arbitrary command execution
CVE-2026-34453	unknown	—	—				2mo ago	SiYuan: Unauthenticated Access to Password-Protected Bookmarks via /api/bookmark/getBookmark
CVE-2026-34449	unknown	—	—				2mo ago	SiYuan is Vulnerable to Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection
CVE-2026-34448	unknown	—	—				2mo ago	SiYuan: Stored XSS in Attribute View Gallery/Kanban Cover Rendering Allows Arbitrary Command Execution in Desktop Client
CVE-2026-33670	unknown	—	—				2mo ago	SiYuan has directory traversal within its publishing service in github.com/siyuan-note/siyuan/kernel
CVE-2026-33669	unknown	—	—				2mo ago	SiYuan has Arbitrary Document Reading within the Publishing Service in github.com/siyuan-note/siyuan/kernel
CVE-2026-33476	unknown	—	—				2mo ago	Siyuan has an Unauthenticated Arbitrary File Read via Path Traversal in github.com/siyuan-note/siyuan/kernel
CVE-2026-33203	unknown	—	—				2mo ago	SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass in github.com/siyuan-note/siyuan/kernel
CVE-2026-33194	unknown	—	—				2mo ago	SiYuan has an Incomplete Fix for IsSensitivePath Denylist Allows File Read from /opt, /usr, /home (GHSA-h5vh-m7fg-w5h6 Bypass) in github.com/siyuan-note/siyuan/kernel
CVE-2026-33067	unknown	—	—				2mo ago	SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata in github.com/siyuan-note/siyuan/kernel
CVE-2026-33066	unknown	—	—				2mo ago	SiYuan has Stored XSS to RCE via Unsanitized Bazaar README Rendering in github.com/siyuan-note/siyuan/kernel
CVE-2026-32938	unknown	—	—				2mo ago	SiYuan Vulnerable to Arbitrary File Read in Desktop Publish Service in github.com/siyuan-note/siyuan/kernel
CVE-2026-32767	unknown	—	—				2mo ago	SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API in github.com/siyuan-note/siyuan/kernel
CVE-2026-32751	unknown	—	—				2mo ago	SiYuan Vulnerable to Remote Code Execution via Stored XSS in Notebook Name - Mobile Interface in github.com/siyuan-note/siyuan/kernel
CVE-2026-32749	unknown	—	—				2mo ago	SiYuan importSY/importZipMd: path traversal via multipart filename enables arbitrary file write in github.com/siyuan-note/siyuan/kernel
CVE-2026-32815	unknown	—	—				2mo ago	SiYuan Vulnerable to Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information Disclosure in github.com/siyuan-note/siyuan/kernel
CVE-2026-32747	unknown	—	—				2mo ago	SiYuan globalCopyFiles: incomplete sensitive path blocklist allows reading /proc and Docker secrets in github.com/siyuan-note/siyuan/kernel
CVE-2026-32704	unknown	—	—				3mo ago	SiYuan's renderSprig has a missing admin check that allows any user to read full workspace DB in github.com/siyuan-note/siyuan/kernel
CVE-2026-32110	unknown	—	—				3mo ago	SiYuan has a Full-Read SSRF via /api/network/forwardProxy in github.com/siyuan-note/siyuan/kernel
CVE-2026-31809	unknown	—	—				3mo ago	SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS in github.com/siyuan-note/siyuan/kernel
CVE-2026-31807	unknown	—	—				3mo ago	SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS in github.com/siyuan-note/siyuan/kernel
CVE-2026-30926	unknown	—	—				3mo ago	SiYuan: Authorization Bypass Allows Low-Privilege Publish User to Modify Notebook Content via /api/block/appendHeadingChildren in github.com/siyuan-note/siyuan/kernel
CVE-2026-30869	unknown	—	—				3mo ago	SiYuan Vulnerable to Path Traversal in /export Endpoint Allows Arbitrary File Read and Secret Leakage in github.com/siyuan-note/siyuan/kernel
CVE-2026-29183	unknown	—	—				3mo ago	SiYuan: Unauthenticated Reflected XSS via SVG Injection in /api/icon/getDynamicIcon Endpoint in github.com/siyuan-note/siyuan/kernel
CVE-2026-29073	unknown	—	—				3mo ago	SiYuan's direct SQL Query API accessible to Reader-level users enables unauthorized database access in github.com/siyuan-note/siyuan/kernel
CVE-2026-25539	unknown	—	—				4mo ago	SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE in github.com/siyuan-note/siyuan/kernel
CVE-2026-25992	unknown	—	—				4mo ago	SiYuan File Read API Case Sensitivity Bypass can Lead to Path Traversal in github.com/siyuan-note/siyuan/kernel
CVE-2026-23851	unknown	—	—				4mo ago	SiYuan Vulnerable to Arbitrary File Read via File Copy Functionality in github.com/siyuan-note/siyuan/kernel
CVE-2026-23847	unknown	—	—				4mo ago	SiYuan has a Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon in github.com/siyuan-note/siyuan/kernel
CVE-2026-23645	unknown	—	—				4mo ago	SiYuan Has a Stored Cross-Site Scripting (XSS) Vulnerability via Unrestricted SVG File Upload in github.com/siyuan-note/siyuan/kernel
CVE-2025-67488	unknown	—	—				6mo ago	SiYuan: ZipSlip -> Arbitrary File Overwrite -> RCE in github.com/siyuan-note/siyuan/kernel
CVE-2025-21609	unknown	—	—				1y ago	SiYuan has an arbitrary file deletion vulnerability in github.com/siyuan-note/siyuan/kernel
CVE-2024-55657	unknown	—	—				2y ago	SiYuan has an arbitrary file read via /api/template/render in github.com/siyuan-note/siyuan/kernel
CVE-2024-55658	unknown	—	—				2y ago	SiYuan has an arbitrary file read and path traversal via /api/export/exportResources in github.com/siyuan-note/siyuan/kernel
CVE-2024-55659	unknown	—	—				2y ago	SiYuan has an arbitrary file write in the host via /api/asset/upload in github.com/siyuan-note/siyuan/kernel
CVE-2024-55660	unknown	—	—				2y ago	SiYuan has an SSTI via /api/template/renderSprig in github.com/siyuan-note/siyuan/kernel