CVE-2026-30926
HIGHCVSS v3
7.1
HIGH
EPSS Score
0.0%
exploit probability
CISA KEV
No
known exploited
Exploitation
—
SSVC status
Description
SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts (RoleReader) to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint requires only the model.CheckAuth role, which accepts RoleReader sessions, but it does not enforce stricter checks, such as CheckAdminRole or CheckReadonly. This allows remote authenticated publish us
Technical Details
- CVSS v3 Vector
- 3.1
- Published
- 3/10/2026
- Last Modified
- 3/13/2026
Frequently Asked Questions
What is CVE-2026-30926?
SiYuan is a personal knowledge management system. Prior to 3.5.10, a privilege escalation vulnerability exists in the publish service of SiYuan Note that allows low-privilege publish accounts (RoleReader) to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint requires only the model.CheckAuth role, which accepts RoleReader sessions, but it does not enforce stricter checks, such as CheckAdminRole or CheckReadonly. This allows remote authenticated publish us
Is CVE-2026-30926 actively exploited?
Active exploitation of CVE-2026-30926 has not been confirmed. The EPSS score is 0.0%, indicating the estimated probability of exploitation in the next 30 days.
What is the CVSS score for CVE-2026-30926?
CVE-2026-30926 has a CVSS v3 base score of 7.1 (HIGH severity), with vector string 3.1.
Is CVE-2026-30926 affecting your environment?
Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.