cvedb.io
CVE-2026-32815
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-03-19T22:16:42.167 · Last modified 2026-06-17T10:36:23.873

Summary

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the WebSocket endpoint (/ws) allows unauthenticated connections when specific URL parameters are provided (?app=siyuan&id=auth&type=auth). This bypass, intended for the login page to keep the kernel alive, allows any external client — including malicious websites via cross-origin WebSocket — to connect and receive all server push events in real-time. These events leak sensitive document metadata including document titles, notebook names, file paths, and all CRUD operations performed by authenticated users. Combined with the absence of Origin header validation, a malicious website can silently connect to a victim's local SiYuan instance and monitor their note-taking activity. This issue has been fixed in version

Affected products

b3log — siyuan

Does this affect you?

Add your gear to cvedb and we'll alert you only when b3log ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.