B3log B3log

  1. Vendors
  2. B3log

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any B3log product.

RSS Feeds for B3log security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in B3log products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by B3log Sorted by Most Security Vulnerabilities since 2018

B3log Siyuan11 vulnerabilities

B3log Symphony6 vulnerabilities

B3log Vditor4 vulnerabilities

B3log Solo2 vulnerabilities

B3log Wide1 vulnerability

By the Year

In 2026 there have been 0 vulnerabilities in B3log. Last year, in 2025 B3log had 1 security vulnerability published. Right now, B3log is on track to have less security vulnerabilities in 2026 than it did last year.




Year Vulnerabilities Average Score
2026 0 0.00
2025 1 9.10
2024 11 7.77
2023 1 6.10
2022 3 5.40
2021 0 0.00
2020 0 0.00
2019 5 5.45
2018 2 4.80

It may take a day or so for new B3log vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent B3log Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-21609 Jan 03, 2025
SiYuan Note 3.1.18 arbitrary file deletion via /api/history/getDocHistoryContent SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the server. Commit d9887aeec1b27073bec66299a9a4181dc42969f3 fixes this vulnerability and is expected to be available in version 3.1.19.
Siyuan
CVE-2024-55657 Dec 12, 2024
SiYuan: Arbitrary File Read Vulnerability in Template Render API SiYuan is a personal knowledge management system. Prior to version 3.1.16, an arbitrary file read vulnerability exists in Siyuan's `/api/template/render` endpoint. The absence of proper validation on the path parameter allows attackers to access sensitive files on the host system. Version 3.1.16 contains a patch for the issue.
Siyuan
CVE-2024-55658 Dec 12, 2024
SiYuan: Arbitrary File Read Vulnerability in /api/export/exportResources Endpoint SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's /api/export/exportResources endpoint is vulnerable to arbitary file read via path traversal. It is possible to manipulate the paths parameter to access and download arbitrary files from the host system by traversing the workspace directory structure. Version 3.1.16 contains a patch for the issue.
Siyuan
CVE-2024-55659 Dec 12, 2024
SiYuan API Endpoint Arbitrary File Write and Stored XSS Vulnerability SiYuan is a personal knowledge management system. Prior to version 3.1.16, the `/api/asset/upload` endpoint in Siyuan is vulnerable to both arbitrary file write to the host and stored cross-site scripting (via the file write). Version 3.1.16 contains a patch for the issue.
Siyuan
CVE-2024-55660 Dec 12, 2024
SiYuan Server-Side Template Injection (SSTI) Vulnerability in Sprig Template Engine SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's `/api/template/renderSprig` endpoint is vulnerable to Server-Side Template Injection (SSTI) through the Sprig template engine. Although the engine has limitations, it allows attackers to access environment variables. Version 3.1.16 contains a patch for the issue.
Siyuan
CVE-2024-53504 Nov 29, 2024
Siyuan 3.1.11 SQLi in /searchHistory notebook param A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the notebook parameter in /searchHistory.
Siyuan
CVE-2024-53505 Nov 29, 2024
SQLi in Siyuan 3.1.11 via /getAssetContent ID param A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the id parameter at /getAssetContent.
Siyuan
CVE-2024-53506 Nov 29, 2024
Siyuan 3.1.11 SQL Injection Vulnerability in ids Array Parameter A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the ids array parameter in /batchGetBlockAttrs.
Siyuan
CVE-2024-53507 Nov 29, 2024
SQL Injection Vulnerability in Siyuan Note-Taking Application A SQL injection vulnerability was discovered in Siyuan 3.1.11 in /getHistoryItems.
Siyuan
CVE-2024-6938 Jul 21, 2024
SiYuan 3.1.0 Remote XSS via PDF.js (PDF Handler) A vulnerability has been found in SiYuan 3.1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file PDF.js of the component PDF Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-271993 was assigned to this vulnerability.
Siyuan
CVE-2024-2692 Apr 04, 2024
SiYuan 3.0.3 Exec via ServerSide XSS SiYuan version 3.0.3 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to Server Side XSS.
Siyuan
CVE-2024-23049 Feb 05, 2024
Arbitrary Code Exec via log4j in Symphony <=3.6.3 An issue in symphony v.3.6.3 and before allows a remote attacker to execute arbitrary code via the log4j component.
Symphony
CVE-2021-32855 Feb 21, 2023
Vditor <3.8.7 XSS in browser-side Markdown editor (copy-paste) Vditor is a browser-side Markdown editor. Versions prior to 3.8.7 are vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor. Version 3.8.7 contains a patch for this issue.
Vditor
CVE-2022-0350 Mar 31, 2022
Cross-site Scripting (XSS) - Stored in GitHub repository vanessa219/vditor prior to 3.8.13. Cross-site Scripting (XSS) - Stored in GitHub repository vanessa219/vditor prior to 3.8.13.
Vditor
CVE-2022-0341 Mar 14, 2022
Cross-site Scripting (XSS) - Stored in GitHub repository vanessa219/vditor prior to 3.8.12. Cross-site Scripting (XSS) - Stored in GitHub repository vanessa219/vditor prior to 3.8.12.
Vditor
CVE-2021-4103 Jan 23, 2022
Cross-site Scripting (XSS) - Stored in GitHub repository vanessa219/vditor prior to 1.0.34. Cross-site Scripting (XSS) - Stored in GitHub repository vanessa219/vditor prior to 1.0.34.
Vditor
CVE-2019-17488 Oct 10, 2019
b3log Symphony (aka Sym) before 3.6.0 has XSS b3log Symphony (aka Sym) before 3.6.0 has XSS via the HTTP User-Agent header.
Symphony
CVE-2019-13915 Jul 18, 2019
b3log Wide before 1.6.0 allows three types of attacks to access arbitrary files b3log Wide before 1.6.0 allows three types of attacks to access arbitrary files. First, the attacker can write code in the editor, and compile and run it approximately three times to read an arbitrary file. Second, the attacker can create a symlink, and then place the symlink into a ZIP archive. An unzip operation leads to read access, and write access (depending on file permissions), to the symlink target. Third, the attacker can import a Git repository that contains a symlink, similarly leading to read and write access.
Wide
CVE-2018-16248 Jun 20, 2019
b3log Solo 2.9.3 has XSS in the Input page under the "Publish Articles" menu with an ID of "articleTags" stored in the "tag" JSON field, which b3log Solo 2.9.3 has XSS in the Input page under the "Publish Articles" menu with an ID of "articleTags" stored in the "tag" JSON field, which allows remote attackers to inject arbitrary Web scripts or HTML via a carefully crafted site name in an admin-authenticated HTTP request.
Solo
CVE-2018-16249 Jun 20, 2019
In Symphony before 3.3.0, there is XSS in the Title under Post In Symphony before 3.3.0, there is XSS in the Title under Post. The ID "articleTitle" of this is stored in the "articleTitle" JSON field, and executes a payload when accessing the /member/test/points URI, allowing remote attacks. Any Web script or HTML can be inserted by an admin-authenticated user via a crafted web site name.
Symphony
CVE-2019-9142 Feb 25, 2019
An issue was discovered in b3log Symphony (aka Sym) before v3.4.7 An issue was discovered in b3log Symphony (aka Sym) before v3.4.7. XSS exists via the userIntro and userNickname fields to processor/SettingsProcessor.java.
Symphony
CVE-2018-16805 Sep 10, 2018
In b3log Solo 2.9.3, XSS in the Input page under the Publish Articles menu, with an ID of linkAddress stored in the link JSON field In b3log Solo 2.9.3, XSS in the Input page under the Publish Articles menu, with an ID of linkAddress stored in the link JSON field, allows remote attackers to inject arbitrary Web scripts or HTML via a crafted site name provided by an administrator.
Solo
CVE-2018-10469 Apr 27, 2018
b3log Symphony (aka Sym) 2.6.0 b3log Symphony (aka Sym) 2.6.0 allows remote attackers to upload and execute arbitrary JSP files via the name[] parameter to the /upload URI.
Symphony
CVE-2017-16821 Nov 15, 2017
b3log Symphony (aka Sym) 2.2.0 has XSS in processor/AdminProcessor.java in the admin console, as demonstrated by a crafted X-Forwarded-For HTTP header b3log Symphony (aka Sym) 2.2.0 has XSS in processor/AdminProcessor.java in the admin console, as demonstrated by a crafted X-Forwarded-For HTTP header that is mishandled during display of a client IP address in /admin/user/userid.
Symphony
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.