Threat Intelligence Database

SiYuan, an open-source personal knowledge management system, has a critical cross-site scripting (XSS) vulnerability in versions prior to 3.7.0. The vulnerability arises because untrusted fields (name, version, author, description) are not properly escaped when serialized into an HTML attribute, allowing injection of arbitrary HTML. In the desktop client, this XSS can escalate to arbitrary OS command execution due to the application's nodeIntegration and contextIsolation settings. This vulnerability is fixed in version 3.7.0.

SiYuan, an open-source personal knowledge management system, has a cross-site scripting (XSS) vulnerability in versions prior to 3.7.0. The vulnerability arises because Lute's HTML sanitizer does not remove <iframe> elements, and combined with the Electron client's permissive security settings, this allows an attacker to embed a malicious <iframe> in a Bazaar package README. Viewing the package details can lead to arbitrary command execution on the victim's machine without requiring package installation. This issue is fixed in version 3.7.0.

SiYuan, an open-source personal knowledge management system, has a critical cross-site scripting (XSS) vulnerability in versions prior to 3.7.0. The vulnerability occurs in the attribute-view cell renderer which improperly interpolates raw cell content in certain branches, allowing malicious input to execute arbitrary JavaScript. On the Electron desktop client with nodeIntegration enabled, this XSS can escalate to remote code execution (RCE). The issue is fixed in version 3.7.0.

SiYuan versions prior to 3.7.0 contain a cross-site scripting (XSS) vulnerability in the rendering of Bazaar package README files. The vulnerability arises because the Markdown-to-HTML renderer uses a sanitizer that fails to block certain modern event handler attributes, allowing malicious JavaScript to execute in the Administrator's browser when viewing package listings. This can lead to full control of the workspace by an attacker. The issue is fixed in version 3.7.0.

SiYuan Note versions prior to 3.7.0 have an origin validation vulnerability in their kernel HTTP server. The server trusts all chrome-extension:// origins without authentication, granting RoleAdministrator access to any installed Chrome/Chromium extension. This allows extensions, including compromised ones, to make authenticated admin API calls to the local SiYuan kernel, potentially leading to data exfiltration, stored XSS injection, and configuration tampering. The vulnerability is fixed in version 3.7.0.

SiYuan versions prior to 3.7.0 have a vulnerability in the /api/icon/getDynamicIcon endpoint, which is excluded from authentication. This allows unauthenticated attackers who know a valid block ID to execute arbitrary SELECT queries on the SQLite database, potentially exposing all user note content and metadata. The issue is fixed in version 3.7.0.

A critical cross-site scripting (XSS) vulnerability exists in SiYuan, an open-source personal knowledge management system, prior to version 3.7.0. The issue arises when CSS snippets containing </style> break out of their style tags during rendering, allowing arbitrary JavaScript execution. On Electron desktop builds with nodeIntegration enabled, this XSS can escalate to remote code execution (RCE) on the host. The vulnerability bypasses user settings that disable JavaScript execution, as the CSS path still runs injected scripts. An attacker with write access to any synced workspace can plant a payload that executes on all devices pulling that workspace. This vulnerability is fixed in version 3.7.0.

SiYuan, an open-source personal knowledge management system, has a path traversal vulnerability (CVE-2026-54066) affecting versions prior to 3.7.0. The issue allows unauthenticated remote attackers to read arbitrary files within the WorkspaceDir via double URL encoding in the /assets/*path route when the system is in publish mode. Sensitive files such as configuration files containing authentication tokens and logs can be accessed. This vulnerability was fixed in version 3.7.0.

SiYuan, an open-source personal knowledge management system, has a critical stored cross-site scripting (XSS) vulnerability in the Attribute View asset cell renderer prior to version 3.7.0. This vulnerability can escalate to remote code execution (RCE) in the Electron desktop client. The issue is fixed in version 3.7.0.