Home > Vulnerability Database > CVE-2025-68948

Mend.io Vulnerability Database

CVE-2025-68948

Good to know:

Date: December 26, 2025

SiYuan is self-hosted, open source personal knowledge management software. In versions 3.5.1 and prior, the SiYuan Note application utilizes a hardcoded cryptographic secret for its session store. This unsafe practice renders the session encryption ineffective. Since the sensitive AccessAuthCode is stored within the session cookie, an attacker who intercepts or obtains a user's encrypted session cookie (e.g., via session hijacking) can locally decrypt it using the public key. Once decrypted, the attacker can retrieve the AccessAuthCode in plain text and use it to authenticate or take over the session.

Severity Score

5.3

Related Resources (3)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-68948

Url: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f7ph-rc3w-qp28

Url: https://www.mend.io/vulnerability-database/CVE-2025-68948

Severity Score

5.3

Weakness Type (CWE)

Use of Hard-coded Credentials

CWE-798

Use of Hard-coded Cryptographic Key

CWE-321

Top Fix

Upgrade Version

Upgrade to version github.com/siyuan-note/siyuan - v3.5.2;https://github.com/siyuan-note/siyuan.git - v3.5.2

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-68948

Good to know:

Date: December 26, 2025

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?