siyuan — Vulnerabilities & Security Advisories 53

All 53 CVE vulnerabilities found in siyuan, with AI-generated Chinese analysis, references, and POCs.

CVE ID	Title	CVSS	Severity	Published
CVE-2026-31809	SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS CWE-79	5.4^AI	Medium^AI	2026-03-10
CVE-2026-31807	SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS CWE-79	6.1^AI	Medium^AI	2026-03-10
CVE-2026-30869	SiYuan has a Path Traversal in /export Endpoint Allows Arbitrary File Read and Secret Leakage CWE-22	9.3	Critical	2026-03-09
CVE-2026-30926	SiYuan Note publish service authorization bypass allows low-privilege users to modify notebook content CWE-284	7.1	High	2026-03-09
CVE-2026-29183	SiYuan: Unauthenticated reflected SVG XSS in `/api/icon/getDynamicIcon` (`type=8`) enables arbitrary JavaScript execution CWE-79	9.3	Critical	2026-03-06
CVE-2026-29073	SiYuan: Direct SQL Query API accessible to Reader-level users enables unauthorized database access CWE-862	8.8	-	2026-03-06
CVE-2026-25992	SiYuan has a File Read Interface Case Bypass Vulnerability CWE-22	7.5	High	2026-02-10
CVE-2026-25647	Lute has a Stored Cross-Site Scripting (XSS) via Markdown hyperlink CWE-79	4.6	Medium	2026-02-06
CVE-2026-25539	SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE CWE-22	9.1	Critical	2026-02-04
CVE-2026-23852	SiYuan vulnerable to Stored XSS / RCE via `setBlockAttrs` icon attribute CWE-94	8.2^AI	High^AI	2026-01-19
CVE-2026-23851	SiYuan Vulnerable to Arbitrary File Read via File Copy Functionality CWE-22	8.1^AI	High^AI	2026-01-19
CVE-2026-23850	SiYuan vulnerable to arbitrary file read CWE-22	6.5^AI	Medium^AI	2026-01-19
CVE-2026-23847	SiYuan Vulnerable to Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon CWE-79	6.1^AI	Medium^AI	2026-01-19
CVE-2026-23645	SiYuan Vulnerable to Stored Cross-Site Scripting (XSS) via Unrestricted SVG File Upload CWE-79	5.4	-	2026-01-16
CVE-2025-68948	SiYuan: Information Disclosure and Authentication Bypass via Hardcoded Session Secret CWE-321	8.4	-	2025-12-27
CVE-2025-67488	SiYuan: ZipSlip -> Arbitrary File Overwrite -> RCE CWE-22	7.8	High	2025-12-09
CVE-2025-21609	SiYuan has an arbitrary file deletion vulnerability CWE-459	8.1	-	2025-01-03
CVE-2024-55660	SiYuan has an SSTI via /api/template/renderSprig CWE-1336	6.5	-	2024-12-11
CVE-2024-55659	SiYuan has an arbitrary file write in the host via /api/asset/upload CWE-22	5.4	-	2024-12-11
CVE-2024-55658	SiYuan has an arbitrary file read and path traversal via /api/export/exportResources CWE-22	6.5	-	2024-12-11
CVE-2024-55657	SiYuan has an arbitrary file read via /api/template/render CWE-22	6.5	-	2024-12-11
CVE-2024-6938	SiYuan PDF PDF.js cross site scripting CWE-79	3.5	Low	2024-07-21
CVE-2024-2692	SiYuan 3.0.3 - RCE via Server Side XSS CWE-79	9.0	Critical	2024-04-04

All 53 known CVE vulnerabilities affecting siyuan with full Chinese analysis, references, and POCs where available.

Goal Reached Thanks to every supporter — we hit 100%!

siyuan — Vulnerabilities & Security Advisories 53