b3log CVE Vulnerabilities & Metrics

Focus on b3log vulnerabilities and metrics.

Last updated: 07 Jun 2025, 22:25 UTC

About b3log Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with b3log. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total b3log CVEs: 24
Earliest CVE date: 15 Nov 2017, 03:29 UTC
Latest CVE date: 03 Jan 2025, 17:15 UTC

Latest CVE reference: CVE-2025-21609

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 10

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 400.0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 400.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical b3log CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 2.1

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range Count
0.0-3.9 18
4.0-6.9 5
7.0-8.9 1
9.0-10.0 0

CVSS Distribution Chart

Top 5 Highest CVSS b3log CVEs

These are the five CVEs with the highest CVSS scores for b3log, sorted by severity first and recency.

All CVEs for b3log

CVE-2025-21609 b3log vulnerability CVSS: 0 03 Jan 2025, 17:15 UTC

SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the server. Commit d9887aeec1b27073bec66299a9a4181dc42969f3 fixes this vulnerability and is expected to be available in version 3.1.19.

CVE-2024-55660 b3log vulnerability CVSS: 0 12 Dec 2024, 02:15 UTC

SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's `/api/template/renderSprig` endpoint is vulnerable to Server-Side Template Injection (SSTI) through the Sprig template engine. Although the engine has limitations, it allows attackers to access environment variables. Version 3.1.16 contains a patch for the issue.

CVE-2024-55659 b3log vulnerability CVSS: 0 12 Dec 2024, 02:15 UTC

SiYuan is a personal knowledge management system. Prior to version 3.1.16, the `/api/asset/upload` endpoint in Siyuan is vulnerable to both arbitrary file write to the host and stored cross-site scripting (via the file write). Version 3.1.16 contains a patch for the issue.

CVE-2024-55658 b3log vulnerability CVSS: 0 12 Dec 2024, 02:15 UTC

SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's /api/export/exportResources endpoint is vulnerable to arbitary file read via path traversal. It is possible to manipulate the paths parameter to access and download arbitrary files from the host system by traversing the workspace directory structure. Version 3.1.16 contains a patch for the issue.

CVE-2024-55657 b3log vulnerability CVSS: 0 12 Dec 2024, 02:15 UTC

SiYuan is a personal knowledge management system. Prior to version 3.1.16, an arbitrary file read vulnerability exists in Siyuan's `/api/template/render` endpoint. The absence of proper validation on the path parameter allows attackers to access sensitive files on the host system. Version 3.1.16 contains a patch for the issue.

CVE-2024-53507 b3log vulnerability CVSS: 0 29 Nov 2024, 20:15 UTC

A SQL injection vulnerability was discovered in Siyuan 3.1.11 in /getHistoryItems.

CVE-2024-53506 b3log vulnerability CVSS: 0 29 Nov 2024, 20:15 UTC

A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the ids array parameter in /batchGetBlockAttrs.

CVE-2024-53505 b3log vulnerability CVSS: 0 29 Nov 2024, 20:15 UTC

A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the id parameter at /getAssetContent.

CVE-2024-53504 b3log vulnerability CVSS: 0 29 Nov 2024, 20:15 UTC

A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the notebook parameter in /searchHistory.

CVE-2024-6938 b3log vulnerability CVSS: 4.0 21 Jul 2024, 05:15 UTC

A vulnerability has been found in SiYuan 3.1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file PDF.js of the component PDF Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-271993 was assigned to this vulnerability.

CVE-2024-2692 b3log vulnerability CVSS: 0 04 Apr 2024, 02:15 UTC

SiYuan version 3.0.3 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to Server Side XSS.

CVE-2024-23049 b3log vulnerability CVSS: 0 05 Feb 2024, 23:15 UTC

An issue in symphony v.3.6.3 and before allows a remote attacker to execute arbitrary code via the log4j component.

CVE-2021-32855 b3log vulnerability CVSS: 0 21 Feb 2023, 15:15 UTC

Vditor is a browser-side Markdown editor. Versions prior to 3.8.7 are vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor. Version 3.8.7 contains a patch for this issue.

CVE-2022-0350 b3log vulnerability CVSS: 3.5 31 Mar 2022, 16:15 UTC

Cross-site Scripting (XSS) - Stored in GitHub repository vanessa219/vditor prior to 3.8.13.

CVE-2022-0341 b3log vulnerability CVSS: 3.5 14 Mar 2022, 04:15 UTC

Cross-site Scripting (XSS) - Stored in GitHub repository vanessa219/vditor prior to 3.8.12.

CVE-2021-4103 b3log vulnerability CVSS: 3.5 23 Jan 2022, 02:15 UTC

Cross-site Scripting (XSS) - Stored in GitHub repository vanessa219/vditor prior to 1.0.34.

CVE-2019-17488 b3log vulnerability CVSS: 4.3 10 Oct 2019, 21:15 UTC

b3log Symphony (aka Sym) before 3.6.0 has XSS via the HTTP User-Agent header.

CVE-2019-13915 b3log vulnerability CVSS: 5.0 18 Jul 2019, 15:15 UTC

b3log Wide before 1.6.0 allows three types of attacks to access arbitrary files. First, the attacker can write code in the editor, and compile and run it approximately three times to read an arbitrary file. Second, the attacker can create a symlink, and then place the symlink into a ZIP archive. An unzip operation leads to read access, and write access (depending on file permissions), to the symlink target. Third, the attacker can import a Git repository that contains a symlink, similarly leading to read and write access.

CVE-2018-16248 b3log vulnerability CVSS: 4.3 20 Jun 2019, 16:15 UTC

b3log Solo 2.9.3 has XSS in the Input page under the "Publish Articles" menu with an ID of "articleTags" stored in the "tag" JSON field, which allows remote attackers to inject arbitrary Web scripts or HTML via a carefully crafted site name in an admin-authenticated HTTP request.

CVE-2018-16249 b3log vulnerability CVSS: 3.5 20 Jun 2019, 14:15 UTC

In Symphony before 3.3.0, there is XSS in the Title under Post. The ID "articleTitle" of this is stored in the "articleTitle" JSON field, and executes a payload when accessing the /member/test/points URI, allowing remote attacks. Any Web script or HTML can be inserted by an admin-authenticated user via a crafted web site name.

CVE-2019-9142 b3log vulnerability CVSS: 4.3 25 Feb 2019, 15:29 UTC

An issue was discovered in b3log Symphony (aka Sym) before v3.4.7. XSS exists via the userIntro and userNickname fields to processor/SettingsProcessor.java.

CVE-2018-16805 b3log vulnerability CVSS: 3.5 10 Sep 2018, 23:29 UTC

In b3log Solo 2.9.3, XSS in the Input page under the Publish Articles menu, with an ID of linkAddress stored in the link JSON field, allows remote attackers to inject arbitrary Web scripts or HTML via a crafted site name provided by an administrator.

CVE-2018-10469 b3log vulnerability CVSS: 7.5 27 Apr 2018, 04:29 UTC

b3log Symphony (aka Sym) 2.6.0 allows remote attackers to upload and execute arbitrary JSP files via the name[] parameter to the /upload URI.

CVE-2017-16821 b3log vulnerability CVSS: 3.5 15 Nov 2017, 03:29 UTC

b3log Symphony (aka Sym) 2.2.0 has XSS in processor/AdminProcessor.java in the admin console, as demonstrated by a crafted X-Forwarded-For HTTP header that is mishandled during display of a client IP address in /admin/user/userid.