Mastodawn

CVE-2026-54158: CRITICAL XSS in SiYuan (<3.7.0) allows persistent JS injection; on Electron clients, can escalate to RCE. Upgrade to 3.7.0+ ASAP. No active exploits reported. https://radar.offseq.com/threat/cve-2026-54158-cwe-79-improper-neutralization-of-i-cee0850f8d1e1264 #OffSeq #XSS #CVE202654158 #SiYuan

OffSequence 19h ago

CVE-2026-50551: SiYuan (<3.7.0) suffers CRITICAL stored XSS in Attribute View, enabling RCE via Electron client. Upgrade to v3.7.0+ to mitigate. No workaround available. Details: https://radar.offseq.com/threat/cve-2026-50551-cwe-79-improper-neutralization-of-i-e91ef5b4d83fcdb8 #OffSeq #XSS #SiYuan #Cybersecurity

OffSequence 21h ago

CVE-2026-55570: CRITICAL XSS in SiYuan (<3.7.0) enables arbitrary HTML injection. On the desktop client, attackers can escalate to OS command execution due to nodeIntegration. Upgrade to 3.7.0+ now! https://radar.offseq.com/threat/cve-2026-55570-cwe-79-improper-neutralization-of-i-34ddb800ffc94efb #OffSeq #XSS #Vuln #SiYuan

OffSequence Apr 8

🚨 CVE-2026-39846 | CRITICAL: SiYuan < 3.6.4 vulnerable to stored XSS in table captions. Exploit enables RCE via Electron’s Node.js access — patch to 3.6.4 ASAP! Details: https://radar.offseq.com/threat/cve-2026-39846-cwe-79-improper-neutralization-of-i-d77ddc8a #OffSeq #SiYuan #vuln #infosec

OffSequence Apr 1

🚨 CRITICAL alert: CVE-2026-34448 in SiYuan (<3.6.2) enables stored XSS, escalating to OS command execution via unsafe Electron configs. Patch to 3.6.2+ & tighten app security! Details: https://radar.offseq.com/threat/cve-2026-34448-cwe-79-improper-neutralization-of-i-36bc82a3 #OffSeq #SiYuan #CVE202634448 #XSS #infosec

OffSequence Apr 1

🚨 CVE-2026-34449: CRITICAL RCE in SiYuan (<3.6.2) via permissive CORS. Visiting a malicious site while SiYuan runs allows OS-level code exec. Patch to 3.6.2+ ASAP! https://radar.offseq.com/threat/cve-2026-34449-cwe-942-permissive-cross-domain-pol-0cb7b35e #OffSeq #SiYuan #CVE202634449 #RCE #InfoSec

OffSequence Mar 27

🚨 CVE-2026-33669: SiYuan (<3.6.2) has a CRITICAL out-of-bounds read flaw (CVSS 9.8). No auth/user interaction needed — remote attackers can leak sensitive memory. Upgrade to 3.6.2 ASAP! https://radar.offseq.com/threat/cve-2026-33669-cwe-125-out-of-bounds-read-in-siyua-064aace2 #OffSeq #Vulnerability #SiYuan #Cybersecurity

OffSequence Mar 26

🚨 CRITICAL: CVE-2026-33670 in SiYuan (<3.6.2) lets remote attackers exploit /api/file/readDir for path traversal, exposing sensitive files. Patch to 3.6.2+ ASAP! Details: https://radar.offseq.com/threat/cve-2026-33670-cwe-22-improper-limitation-of-a-pat-0880f67a #OffSeq #vuln #infosec #SiYuan

OffSequence Mar 20

⚠️ CVE-2026-32767: SiYuan (<3.6.1) has a CRITICAL SQL injection flaw in /api/search/fullTextSearchBlock. Any authenticated user can run SQL, risking full data compromise. Upgrade to 3.6.1+ ASAP. https://radar.offseq.com/threat/cve-2026-32767-cwe-89-improper-neutralization-of-s-8a5766fd #OffSeq #SiYuan #SQLInjection #Vuln

Danny Hayes Feb 19

From Obsidian to SiYuan: Why Your Homelab Needs a Database, Not Just Notes 📚💻

As a system analyst, I’ve always been obsessed with structuring chaos. For years, Obsidian was my go-to "Second Brain." It’s powerful, but as my Homelab expanded, I realized I didn't just need notes — I needed a living documentation engine that I could access via web from any device in my network.

I’ve tested the whole spectrum: Docmost, Trillium, and AFFiNE.

- AFFiNE is beautiful (Notion + Miro vibes), but its "infinite canvas" often leads to visual chaos. It's great for sketching a network topology, but terrible when you need to find a specific CLI command via Ctrl+F.
- SiYuan changed the game for me. It’s currently at the heart of my local stack.

Why SiYuan is the "Final Boss" of Self-Hosted Note-taking:

1. Block-Level Granularity (JSON Power): 🧩
Unlike standard Markdown, SiYuan assigns a unique ID to every single paragraph and list item. This allows for transclusion—you can pull a specific VPN setup instruction into five different guides, and when you update the original, it updates everywhere.
2. The SQL Killer-Feature: ⚡
This is where it turns into a professional CMDB (Configuration Management Database). I don't manually track my 50+ Docker containers in a table. I just add custom attributes to my service notes:

custom-ip: 192.168.1.10
custom-port: 8080

Then, I use a native SQL query on my Dashboard to automatically generate a real-time "Service Matrix." If I change a port in a note, the master table updates itself. No more IP conflicts.

3. Performance & Sovereignty: 🛡️

- Resource Efficiency: While AFFiNE is a bit of a resource hog, SiYuan is incredibly light, idling at just 31MB in my Docker container.
- No Vendor-Lock: Even though it uses .sy (JSON) files for its advanced logic, the export to Markdown is flawless and can be automated via Kernel API.

The Verdict:
If you have 3-4 services, stick to Obsidian. But if you’re running a Proxmox cluster with complex networking, you need a tool that speaks SQL.

Don't let your documentation become legacy hardware. Give it a database-driven brain.

What about you? Are you a "pure Markdown" purist, or have you embraced the power of block-based databases like SiYuan or Notion? How do you track your Homelab inventory?

#SelfHosted #Homelab #SiYuan #Obsidian #KnowledgeManagement #SQL #SysAdmin #Documentation #TechStack #Privacy #OpenSource