CVE-2026-33203

Published: Mar 21, 2026 Last Modified: Mar 21, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 7,5
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: none
Integrity: none
Availability: high

Description

AI Translation Available

SiYuan is a personal knowledge management system. Prior to version 3.6.2, the SiYuan kernel WebSocket server accepts unauthenticated connections when a specific 'auth keepalive' query parameter is present. After connection, incoming messages are parsed using unchecked type assertions on attacker-controlled JSON. A remote attacker can send malformed messages that trigger a runtime panic, potentially crashing the kernel process and causing denial of service. Version 3.6.2 fixes the issue.

248

Uncaught Exception

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Availability Confidentiality
Potential Impacts:
Dos: Crash, Exit, Or Restart Read Application Data
Applicable Platforms
Languages: C#, C++, Java
View CWE Details
306

Missing Authentication for Critical Function

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Access Control Other
Potential Impacts:
Gain Privileges Or Assume Identity Varies By Context
Applicable Platforms
Technologies: Cloud Computing, ICS/OT
Likelihood of Exploit: High
View CWE Details
https://github.com/siyuan-note/siyuan/security/advisories/G…
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-3g9h-9hp4-654v