Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-4343-1dvf-akas
Vulnerability ID VCID-4343-1dvf-akas
Aliases CVE-2026-33203
GHSA-3g9h-9hp4-654v
Summary SiYuan is a personal knowledge management system. Prior to version 3.6.2, the SiYuan kernel WebSocket server accepts unauthenticated connections when a specific "auth keepalive" query parameter is present. After connection, incoming messages are parsed using unchecked type assertions on attacker-controlled JSON. A remote attacker can send malformed messages that trigger a runtime panic, potentially crashing the kernel process and causing denial of service. Version 3.6.2 fixes the issue.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-248 Uncaught Exception
CWE-306 Missing Authentication for Critical Function
System Score Found at
epss 0.00069 https://api.first.org/data/v1/epss?cve=CVE-2026-33203
epss 0.00069 https://api.first.org/data/v1/epss?cve=CVE-2026-33203
epss 0.00069 https://api.first.org/data/v1/epss?cve=CVE-2026-33203
epss 0.00069 https://api.first.org/data/v1/epss?cve=CVE-2026-33203
cvssv3.1 7.5 https://github.com/siyuan-note/siyuan
generic_textual HIGH https://github.com/siyuan-note/siyuan
cvssv3.1 7.5 https://github.com/siyuan-note/siyuan/security/advisories/GHSA-3g9h-9hp4-654v
generic_textual HIGH https://github.com/siyuan-note/siyuan/security/advisories/GHSA-3g9h-9hp4-654v
ssvc Track https://github.com/siyuan-note/siyuan/security/advisories/GHSA-3g9h-9hp4-654v
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2026-33203
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-33203
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-33203
https://github.com/siyuan-note/siyuan
https://nvd.nist.gov/vuln/detail/CVE-2026-33203
GHSA-3g9h-9hp4-654v https://github.com/siyuan-note/siyuan/security/advisories/GHSA-3g9h-9hp4-654v
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/siyuan-note/siyuan
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/siyuan-note/siyuan/security/advisories/GHSA-3g9h-9hp4-654v
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-23T16:45:50Z/ Found at https://github.com/siyuan-note/siyuan/security/advisories/GHSA-3g9h-9hp4-654v
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2026-33203
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.21433
EPSS Score 0.00069
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:49:42.392414+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/33xxx/CVE-2026-33203.json 38.6.0