Description
SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, Mermaid diagrams are rendered with securityLevel set to "loose", and the resulting SVG is injected into the DOM via innerHTML. This allows attacker-controlled javascript: URLs in Mermaid code blocks to survive into the rendered output. On desktop builds using Electron, windows are created with nodeIntegration enabled and contextIsolation disabled, escalating the stored XSS to arbitrary code execution when a victim opens a note containing a malicious Mermaid block and clicks the rendered diagram node. This issue has been fixed in version 3.6.4.
Published: 2026-04-16
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Stored XSS
Action: Patch Immediately
AI Analysis

Impact

SiYuan renders Mermaid diagrams with a securityLevel of "loose" and injects the resulting SVG into the page through innerHTML. This allows Mermaid code blocks containing attacker‑controlled javascript: URLs to persist in the rendered output. When a note containing such a diagram is opened in the desktop Electron version, the application creates a window with nodeIntegration enabled and contextIsolation disabled, turning the stored XSS into arbitrary code execution. This flaw can lead to full compromise of the victim machine if they open a malicious note and interact with the diagram.

Affected Systems

The vulnerability applies to the SiYuan Note application, specifically versions 3.6.3 and earlier. Users running these releases on any platform that uses the desktop Electron build are at risk.

Risk and Exploitability

The flaw scores a CVSS of 9.1, indicating critical severity. Although EPSS data is not available, the lack of mitigations in affected releases and the need for a victim to open a note suggest a non‑negligible exploitation probability. The issue is not listed in CISA’s KEV catalog, but its high score and the absence of broader protective controls mean that organizations should treat it as critical. The attack requires a crafted Mermaid diagram containing a javascript: link; once a user opens or clicks the diagram in the Electron environment, the stored XSS escalates to code execution because of the insecure configuration of nodeIntegration and contextIsolation.

Generated by OpenCVE AI on April 17, 2026 at 02:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to SiYuan version 3.6.4 or newer, which removes the Mermaid rendering flag and sanitizes the SVG output.
  • For notes created before the fix, review and delete any Mermaid blocks that contain javascript: links or other suspicious content.
  • If you use a custom Electron build, ensure that nodeIntegration is disabled and contextIsolation is enabled to reduce the risk of XSS escalation.
  • After applying the patch, verify that the securityLevel is set to "strict" in the application settings to prevent future unsafe rendering.

Generated by OpenCVE AI on April 17, 2026 at 02:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Siyuan
Siyuan siyuan
Vendors & Products Siyuan
Siyuan siyuan

Thu, 16 Apr 2026 23:15:00 +0000

Type Values Removed Values Added
Description SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, Mermaid diagrams are rendered with securityLevel set to "loose", and the resulting SVG is injected into the DOM via innerHTML. This allows attacker-controlled javascript: URLs in Mermaid code blocks to survive into the rendered output. On desktop builds using Electron, windows are created with nodeIntegration enabled and contextIsolation disabled, escalating the stored XSS to arbitrary code execution when a victim opens a note containing a malicious Mermaid block and clicks the rendered diagram node. This issue has been fixed in version 3.6.4.
Title SiYuan: Mermaid `javascript:` Link Injection Leads to Stored XSS and Electron RCE
Weaknesses CWE-79
CWE-94
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Siyuan Siyuan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-17T12:26:06.118Z

Reserved: 2026-04-10T21:41:54.505Z

Link: CVE-2026-40322

cve-icon Vulnrichment

Updated: 2026-04-17T12:25:52.098Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-16T23:16:33.733

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-40322

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T08:00:10Z

Weaknesses