CVE-2026-33203

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.2

Description SiYuan is a personal knowledge management system. The kernel WebSocket server accepts unauthenticated connections when a specific "auth keepalive" query parameter is present. After connection, incoming messages are parsed using unchecked type assertions on attacker-controlled JSON. A remote attacker can send malformed messages that trigger a runtime panic, potentially crashing the kernel process and causing denial of service. The issue resides in the kernel/server/serve.go file, specifically in the handling of the /ws?app=siyuan endpoint with the id=auth&type=auth query parameters. The vulnerable code accesses fields from the incoming JSON data using type assertions without validation, such as request["cmd"].(string), request["reqId"].(float64), and request["param"].(map[string]interface{}). Malformed or missing fields can trigger a runtime panic, leading to a denial of service.

Recommendations Versions prior to 3.6.2 should be updated to version 3.6.2 or later.