Description
SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another user can trigger remote code execution in the SiYuan Electron desktop client. The root cause is that table caption content is stored without safe escaping and later unescaped into rendered HTML, creating a stored XSS sink. Because the desktop renderer runs with nodeIntegration enabled and contextIsolation disabled, attacker-controlled JavaScript executes with access to Node.js APIs. In practice, an attacker can import a crafted note into a synced workspace, wait for the victim to sync, and achieve code execution when the victim opens the note. This vulnerability is fixed in 3.6.4.
Published: 2026-04-07
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

SiYuan is a personal knowledge management system that uses an Electron desktop client. Before version 3.6.4 a table caption entered in a note is stored without proper escaping. When the note is rendered, the caption data is unescaped into HTML, creating a stored cross‑site scripting sink. Because the Electron renderer runs with Node.js integration enabled and context isolation disabled, the malicious JavaScript runs with full Node.js privileges, allowing an attacker to execute arbitrary code on the victim’s machine. This single flaw provides complete compromise of the desktop application.

Affected Systems

All users running SiYuan Electron desktop client editions prior to 3.6.4 are affected. The vulnerability is present in the Siyuan application bundled with the Electron framework as sold by the vendor Siyuan‑Note. It is fixed starting with version 3.6.4, which is the only version that has the proper escaping implemented.

Risk and Exploitability

The CVSS score of 9.1 indicates a critical severity. The CVE is not listed in the CISA KEV catalog and no EPSS score is available, so the current public exploitation probability is unknown. The expected attack vector is remote: an attacker must first create a malicious note with a crafted table caption and then cause a victim to sync and open that note, for example by sharing a workspace. The vulnerability requires the victim to have the updated Electron client running with node integration; if a user is running a patched or newer version or has disabled node integration, exploitation is blocked.

Generated by OpenCVE AI on April 7, 2026 at 23:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch by upgrading SiYuan to version 3.6.4 or later
  • If upgrading is not immediately possible, refrain from opening or syncing notes that originated from unknown or untrusted collaborators
  • Consider disabling node integration or enabling context isolation in the Electron client if the application configuration allows it
  • Verify that the latest version signature matches the vendor’s official release to ensure no tampering has occurred

Generated by OpenCVE AI on April 7, 2026 at 23:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-phhp-9rm9-6gr2 SiYuan: Remote Code Execution in the Electron desktop client via stored XSS in synced table captions
History

Thu, 16 Apr 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared B3log
B3log siyuan
CPEs cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*
Vendors & Products B3log
B3log siyuan

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Siyuan
Siyuan siyuan
Vendors & Products Siyuan
Siyuan siyuan

Wed, 08 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another user can trigger remote code execution in the SiYuan Electron desktop client. The root cause is that table caption content is stored without safe escaping and later unescaped into rendered HTML, creating a stored XSS sink. Because the desktop renderer runs with nodeIntegration enabled and contextIsolation disabled, attacker-controlled JavaScript executes with access to Node.js APIs. In practice, an attacker can import a crafted note into a synced workspace, wait for the victim to sync, and achieve code execution when the victim opens the note. This vulnerability is fixed in 3.6.4.
Title SiYuan affected by Remote Code Execution in the Electron desktop client via stored XSS in synced table captions
Weaknesses CWE-79
CWE-94
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

B3log Siyuan
Siyuan Siyuan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T15:23:37.827Z

Reserved: 2026-04-07T19:13:20.378Z

Link: CVE-2026-39846

cve-icon Vulnrichment

Updated: 2026-04-08T15:23:29.101Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T22:16:23.597

Modified: 2026-04-16T04:32:01.020

Link: CVE-2026-39846

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:23:01Z

Weaknesses