NVD脆弱性詳細

Exploit、PoC検索

NVD脆弱性検索トップ

->

NVD脆弱性詳細

CVE-2026-54069

概要	SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan Note's kernel HTTP server unconditionally trusts all chrome-extension:// origins, granting RoleAdministrator access to every installed browser extension without any authentication. Combined with the default empty AccessAuthCode on desktop installs, any Chrome/Chromium extension -- including a compromised legitimate extension via supply chain attack -- can make fully authenticated admin API calls to the SiYuan kernel at 127.0.0.1:6806, enabling data exfiltration, stored XSS injection, and configuration tampering. This vulnerability is fixed in 3.7.0.
公表日	2026年6月25日7:16
登録日	2026年6月27日4:24
最終更新日	2026年6月26日0:16

関連情報、対策とツール

No	URL	refsource	タグ
1	https://github.com/siyuan-note/siyuan/security/advisories/GHSA-hvr9-72v2-fff3	security-advisories@github.com
2	https://github.com/siyuan-note/siyuan/security/advisories/GHSA-hvr9-72v2-fff3	134c704f-9b21-4f2e-91b3-4a467353bcc0

共通脆弱性一覧

No	CWE	名前	URL
1	CWE-346	同一生成元ポリシー違反	https://cwe.mitre.org/data/definitions/346.html