CVE-2024-2692: SiYuan 3.0.3 - RCE via Server Side XSS
9.0
CVSS
Description
SiYuan version 3.0.3 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to Server Side XSS.
Classification
CVE ID: CVE-2024-2692
CVSS Base Severity: CRITICAL
CVSS Base Score: 9.0
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Problem Types
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Affected Products
Vendor: SiYuan
Product: SiYuan
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.22% (probability of being exploited)
EPSS Percentile: 44.67% (scored less or equal to compared to others)
EPSS Date: 2025-06-06 (when was this score calculated)
Stakeholder-Specific Vulnerability Categorization (SSVC)
SSVC Exploitation: poc
SSVC Technical Impact: total
SSVC Automatable: false
References
https://nvd.nist.gov/vuln/detail/CVE-2024-2692https://fluidattacks.com/advisories/dezco/
https://github.com/siyuan-note/siyuan/