NVD Vulnerability Detail

Search Exploit, PoC

NVD脆弱性検索トップ

->

NVD Vulnerability Detail

CVE-2026-54069

Summary	SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan Note's kernel HTTP server unconditionally trusts all chrome-extension:// origins, granting RoleAdministrator access to every installed browser extension without any authentication. Combined with the default empty AccessAuthCode on desktop installs, any Chrome/Chromium extension -- including a compromised legitimate extension via supply chain attack -- can make fully authenticated admin API calls to the SiYuan kernel at 127.0.0.1:6806, enabling data exfiltration, stored XSS injection, and configuration tampering. This vulnerability is fixed in 3.7.0.
Publication Date	June 25, 2026, 7:16 a.m.
Registration Date	June 27, 2026, 4:24 a.m.
Last Update	June 26, 2026, 12:16 a.m.

Related information, measures and tools

No	URL	refsource	タグ
1	https://github.com/siyuan-note/siyuan/security/advisories/GHSA-hvr9-72v2-fff3	security-advisories@github.com
2	https://github.com/siyuan-note/siyuan/security/advisories/GHSA-hvr9-72v2-fff3	134c704f-9b21-4f2e-91b3-4a467353bcc0

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-346	同一生成元ポリシー違反	https://cwe.mitre.org/data/definitions/346.html