CVE Catalog

CVE-2026-54069

CriticalCVSS 9.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.61%

45th percentile — higher than 45% of all known CVEs

Summary

SiYuan is an open-source personal knowledge management system. Prior to version 3.7.0, SiYuan Note's kernel HTTP server unconditionally trusts all chrome-extension:// origins, allowing RoleAdministrator access to every installed browser extension without authentication.

Risk Assessment

The risk to the organization is that malicious extensions can access the admin API, leading to data exfiltration, XSS injection, and configuration tampering.

Recommendation

It is recommended to upgrade to version 3.7.0 or later to mitigate this vulnerability and to limit trust in browser extension origins.

Original NVD description (English source)

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan Note's kernel HTTP server unconditionally trusts all chrome-extension:// origins, granting RoleAdministrator access to every installed browser extension without any authentication. Combined with the default empty AccessAuthCode on desktop installs, any Chrome/Chromium extension -- including a compromised legitimate extension via supply chain attack -- can make fully authenticated admin API calls to the SiYuan kernel at 127.0.0.1:6806, enabling data exfiltration, stored XSS injection, and configuration tampering. This vulnerability is fixed in 3.7.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS