CVE-2026-54069
CriticalCVSS 9.2Exploitation Probability (EPSS)
Low risk45th percentile — higher than 45% of all known CVEs
Summary
SiYuan is an open-source personal knowledge management system. Prior to version 3.7.0, SiYuan Note's kernel HTTP server unconditionally trusts all chrome-extension:// origins, allowing RoleAdministrator access to every installed browser extension without authentication.
Risk Assessment
The risk to the organization is that malicious extensions can access the admin API, leading to data exfiltration, XSS injection, and configuration tampering.
Recommendation
It is recommended to upgrade to version 3.7.0 or later to mitigate this vulnerability and to limit trust in browser extension origins.
Original NVD description (English source)
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan Note's kernel HTTP server unconditionally trusts all chrome-extension:// origins, granting RoleAdministrator access to every installed browser extension without any authentication. Combined with the default empty AccessAuthCode on desktop installs, any Chrome/Chromium extension -- including a compromised legitimate extension via supply chain attack -- can make fully authenticated admin API calls to the SiYuan kernel at 127.0.0.1:6806, enabling data exfiltration, stored XSS injection, and configuration tampering. This vulnerability is fixed in 3.7.0.

