Security Advisories for github.com/siyuan-note/siyuan/kernel in go
Critical
30 days ago
SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution
go
github.com/siyuan-note/siyuan/kernel
High
30 days ago
SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs
go
github.com/siyuan-note/siyuan/kernel
Moderate
30 days ago
SiYuan has broken access control in `/api/search/{searchAsset,searchTag,searchWidget,searchTemplate}` publish-mode
go
github.com/siyuan-note/siyuan/kernel
Moderate
30 days ago
SiYuan: Broken access control in `/api/tag/getTag` — Reader role can mutate `Conf.Tag.Sort` and persist to disk
go
github.com/siyuan-note/siyuan/kernel
Critical
about 1 month ago
SiYuan: Electron Renderer RCE via decodeURIComponent-driven tooltip XSS in aria-label sink (incomplete fix for CVE-2026-34585)
go
github.com/siyuan-note/siyuan/kernel
Critical
about 1 month ago
SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCE
go
github.com/siyuan-note/siyuan/kernel
High
about 2 months ago
SiYuan: Path Traversal via Double URL Encoding in `/export/` Endpoint (Incomplete Fix Bypass for CVE-2026-30869)
go
github.com/siyuan-note/siyuan/kernel
Moderate
about 2 months ago
SiYuan has incomplete fix for CVE-2026-33066: XSS
go
github.com/siyuan-note/siyuan/kernel
High
2 months ago
SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView`
go
github.com/siyuan-note/siyuan/kernel
High
2 months ago
SiYuan: Publish Reader Can Arbitrarily Delete Attribute View Files via `/api/av/removeUnusedAttributeView`
go
github.com/siyuan-note/siyuan/kernel
High
2 months ago
SiYuan Affected by Zero-Click NTLM Hash Theft and Blind SSRF via Mermaid Diagram Rendering
go
github.com/siyuan-note/siyuan/kernel
Critical
2 months ago
SiYuan: Remote Code Execution in the Electron desktop client via stored XSS in synced table captions
go
github.com/siyuan-note/siyuan/kernel
High
2 months ago
SiYuan vulnerable to reflected XSS via SVG namespace prefix bypass in SanitizeSVG (getDynamicIcon, unauthenticated)
go
github.com/siyuan-note/siyuan/kernel
High
2 months ago
SiYuan Desktop: Stored XSS in imported .sy.zip content leads to arbitrary command execution
go
github.com/siyuan-note/siyuan/kernel
High
2 months ago
SiYuan: Unauthenticated Access to Password-Protected Bookmarks via /api/bookmark/getBookmark
go
github.com/siyuan-note/siyuan/kernel
Critical
2 months ago
SiYuan is Vulnerable to Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection
go
github.com/siyuan-note/siyuan/kernel
Critical
2 months ago
SiYuan: Stored XSS in Attribute View Gallery/Kanban Cover Rendering Allows Arbitrary Command Execution in Desktop Client
go
github.com/siyuan-note/siyuan/kernel
Critical
3 months ago
SiYuan has directory traversal within its publishing service
go
github.com/siyuan-note/siyuan/kernel
Critical
3 months ago
SiYuan has Arbitrary Document Reading within the Publishing Service
go
github.com/siyuan-note/siyuan/kernel
High
3 months ago
Siyuan has an Unauthenticated Arbitrary File Read via Path Traversal
go
github.com/siyuan-note/siyuan/kernel
High
3 months ago
SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass
go
github.com/siyuan-note/siyuan/kernel
Moderate
3 months ago
SiYuan has an Incomplete Fix for IsSensitivePath Denylist Allows File Read from /opt, /usr, /home (GHSA-h5vh-m7fg-w5h6 Bypass)
go
github.com/siyuan-note/siyuan/kernel
Moderate
3 months ago
SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata
go
github.com/siyuan-note/siyuan/kernel
Moderate
3 months ago
SiYuan has Stored XSS to RCE via Unsanitized Bazaar README Rendering
go
github.com/siyuan-note/siyuan/kernel
Critical
3 months ago
SiYuan Vulnerable to Arbitrary File Read in Desktop Publish Service
go
github.com/siyuan-note/siyuan/kernel
Critical
3 months ago
SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API
go
github.com/siyuan-note/siyuan/kernel
Moderate
3 months ago
SiYuan Vulnerable to Remote Code Execution via Stored XSS in Notebook Name - Mobile Interface
go
github.com/siyuan-note/siyuan/kernel
High
3 months ago
SiYuan importSY/importZipMd: path traversal via multipart filename enables arbitrary file write
go
github.com/siyuan-note/siyuan/kernel
Moderate
3 months ago
SiYuan Vulnerable to Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information Disclosure
go
github.com/siyuan-note/siyuan/kernel
Moderate
3 months ago
SiYuan globalCopyFiles: incomplete sensitive path blocklist allows reading /proc and Docker secrets
go
github.com/siyuan-note/siyuan/kernel
Moderate
3 months ago
SiYuan's renderSprig has a missing admin check that allows any user to read full workspace DB
go
github.com/siyuan-note/siyuan/kernel
High
3 months ago
SiYuan has a Full-Read SSRF via /api/network/forwardProxy
go
github.com/siyuan-note/siyuan/kernel
Moderate
3 months ago
SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS
go
github.com/siyuan-note/siyuan/kernel
Moderate
3 months ago
SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS
go
github.com/siyuan-note/siyuan/kernel
High
3 months ago
SiYuan: Authorization Bypass Allows Low-Privilege Publish User to Modify Notebook Content via /api/block/appendHeadingChildren
go
github.com/siyuan-note/siyuan/kernel
Critical
3 months ago
SiYuan Vulnerable to Path Traversal in /export Endpoint Allows Arbitrary File Read and Secret Leakage
go
github.com/siyuan-note/siyuan/kernel
Critical
3 months ago
SiYuan: Unauthenticated Reflected XSS via SVG Injection in /api/icon/getDynamicIcon Endpoint
go
github.com/siyuan-note/siyuan/kernel
Moderate
3 months ago
SiYuan's direct SQL Query API accessible to Reader-level users enables unauthorized database access
go
github.com/siyuan-note/siyuan/kernel
Critical
4 months ago
SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE
go
github.com/siyuan-note/siyuan/kernel
High
4 months ago
SiYuan File Read API Case Sensitivity Bypass can Lead to Path Traversal
go
github.com/siyuan-note/siyuan/kernel
High
5 months ago
SiYuan vulnerable to Arbitrary file Read / SSRF
go
github.com/siyuan-note/siyuan/kernel
High
5 months ago
SiYuan Vulnerable to Arbitrary File Read via File Copy Functionality
go
github.com/siyuan-note/siyuan/kernel
Low
5 months ago
SiYuan has a Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon
go
github.com/siyuan-note/siyuan/kernel
Moderate
5 months ago
SiYuan Has a Stored Cross-Site Scripting (XSS) Vulnerability via Unrestricted SVG File Upload
go
github.com/siyuan-note/siyuan/kernel
High
6 months ago
SiYuan vulnerable to RCE via zip slip and Command Injection via PandocBin
go
github.com/siyuan-note/siyuan/kernel
High
6 months ago
SiYuan: ZipSlip -> Arbitrary File Overwrite -> RCE
go
github.com/siyuan-note/siyuan/kernel
High
over 1 year ago
SiYuan has an arbitrary file deletion vulnerability
go
github.com/siyuan-note/siyuan/kernel
High
over 1 year ago
SiYuan has an arbitrary file read via /api/template/render
go
github.com/siyuan-note/siyuan/kernel
High
over 1 year ago
SiYuan has an arbitrary file read and path traversal via /api/export/exportResources
go
github.com/siyuan-note/siyuan/kernel
High
over 1 year ago
SiYuan has an arbitrary file write in the host via /api/asset/upload
go
github.com/siyuan-note/siyuan/kernel
Moderate
over 1 year ago
SiYuan has an SSTI via /api/template/renderSprig
go
github.com/siyuan-note/siyuan/kernel