github.com/siyuan-note/siyuan/kernel vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
CVE-2026-45375Criticalgithub.com/siyuan-note/siyuan/kernel: SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored…CVE-2026-45371Highgithub.com/siyuan-note/siyuan/kernel: SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIsCVE-2026-45148Mediumgithub.com/siyuan-note/siyuan/kernel: SiYuan has broken access control in `/api/search/{searchAsset,searchTag,searchWidget,searchTemplate}…CVE-2026-45147Mediumgithub.com/siyuan-note/siyuan/kernel: SiYuan: Broken access control in `/api/tag/getTag` — Reader role can mutate `Conf.Tag.Sort` and…CVE-2026-44588Criticalgithub.com/siyuan-note/siyuan/kernel: SiYuan: Electron Renderer RCE via decodeURIComponent-driven tooltip XSS in aria-label sink…CVE-2026-44670Criticalgithub.com/siyuan-note/siyuan/kernel: SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCECVE-2026-41894Highgithub.com/siyuan-note/siyuan/kernel: SiYuan: Path Traversal via Double URL Encoding in `/export/` Endpoint (Incomplete Fix Bypass for…CVE-2026-40922Mediumgithub.com/siyuan-note/siyuan/kernel: SiYuan has incomplete fix for CVE-2026-33066: XSSCVE-2026-40318Highgithub.com/siyuan-note/siyuan/kernel: SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView`CVE-2026-40259Highgithub.com/siyuan-note/siyuan/kernel: SiYuan: Publish Reader Can Arbitrarily Delete Attribute View Files via…CVE-2026-40107Highgithub.com/siyuan-note/siyuan/kernel: SiYuan Affected by Zero-Click NTLM Hash Theft and Blind SSRF via Mermaid Diagram RenderingCVE-2026-39846Criticalgithub.com/siyuan-note/siyuan/kernel: SiYuan: Remote Code Execution in the Electron desktop client via stored XSS in synced table captionsCVE-2026-34605Highgithub.com/siyuan-note/siyuan/kernel: SiYuan vulnerable to reflected XSS via SVG namespace prefix bypass in SanitizeSVG (getDynamicIcon,…CVE-2026-34585Highgithub.com/siyuan-note/siyuan/kernel: SiYuan Desktop: Stored XSS in imported .sy.zip content leads to arbitrary command executionCVE-2026-34453Highgithub.com/siyuan-note/siyuan/kernel: SiYuan: Unauthenticated Access to Password-Protected Bookmarks via /api/bookmark/getBookmarkCVE-2026-34449Criticalgithub.com/siyuan-note/siyuan/kernel: SiYuan is Vulnerable to Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet InjectionCVE-2026-34448Criticalgithub.com/siyuan-note/siyuan/kernel: SiYuan: Stored XSS in Attribute View Gallery/Kanban Cover Rendering Allows Arbitrary Command…CVE-2026-33670Criticalgithub.com/siyuan-note/siyuan/kernel: SiYuan has directory traversal within its publishing serviceCVE-2026-33669Criticalgithub.com/siyuan-note/siyuan/kernel: SiYuan has Arbitrary Document Reading within the Publishing ServiceCVE-2026-33476Highgithub.com/siyuan-note/siyuan/kernel: Siyuan has an Unauthenticated Arbitrary File Read via Path TraversalCVE-2026-33203Highgithub.com/siyuan-note/siyuan/kernel: SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive BypassCVE-2026-33194Mediumgithub.com/siyuan-note/siyuan/kernel: SiYuan has an Incomplete Fix for IsSensitivePath Denylist Allows File Read from /opt, /usr, /home…CVE-2026-33067Mediumgithub.com/siyuan-note/siyuan/kernel: SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package MetadataCVE-2026-33066Mediumgithub.com/siyuan-note/siyuan/kernel: SiYuan has Stored XSS to RCE via Unsanitized Bazaar README RenderingCVE-2026-32938Criticalgithub.com/siyuan-note/siyuan/kernel: SiYuan Vulnerable to Arbitrary File Read in Desktop Publish Service

Stop the waste.
Protect your environment with Kodem.