CVE-2026-33203

EUVD-2026-13869

20.03.2026, 23:16

SiYuan is a personal knowledge management system. Prior to version 3.6.2, the SiYuan kernel WebSocket server accepts unauthenticated connections when a specific "auth keepalive" query parameter is present. After connection, incoming messages are parsed using unchecked type assertions on attacker-controlled JSON. A remote attacker can send malformed messages that trigger a runtime panic, potentially crashing the kernel process and causing denial of service. Version 3.6.2 fixes the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_M	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
b3log	siyuan	𝑥 < 3.6.2

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-3g9h-9hp4-654v

Common Weakness Enumeration

CWE-248 - Uncaught Exception
An exception is thrown from a function, but it is not caught.

References

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-3g9h-9hp4-654v