Description
SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, SiYuan desktop renders notification messages as raw HTML inside an Electron renderer. The notification route POST /api/notification/pushMsg accepts a user-controlled msg value, forwards it through the backend broadcast layer, and the frontend inserts it into the DOM with insertAdjacentHTML(...) at message.ts. On desktop builds, this is not limited to ordinary XSS. Electron windows are created with nodeIntegration: true, contextIsolation: false, and webSecurity: false at main.js. As a result, JavaScript executed from the notification sink can directly access Node APIs and escalate to desktop code execution. This vulnerability is fixed in 3.6.5.
Published: 2026-04-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution on the desktop client via maliciously crafted notification messages
Action: Apply patch
AI Analysis

Impact

SiYuan renders notification messages as raw HTML inside an Electron window. The message posting API accepts a user-controlled value and forwards it to the renderer using insertAdjacentHTML. Because the Electron application is configured with nodeIntegration: true, contextIsolation: false, and webSecurity: false, any JavaScript executed from a notification gains unrestricted access to the Node.js API, allowing it to run arbitrary code on the host. The flaw is therefore a classic cross‑site scripting that is upgraded to local code execution on the desktop client.

Affected Systems

The vulnerability affects all SiYuan note desktop builds before version 3.6.5; the fix was introduced in 3.6.5 and later. Users running any earlier release of SiYuan on Windows, macOS, or Linux are potentially exposed.

Risk and Exploitability

The CVSS score of 8.8 indicates a high‑impact flaw, but the EPSS score of less than 1% suggests that exploit activity is currently minimal. The vulnerability is not listed in the CISA KEV catalog. An attacker must be able to send a crafted notification to the local instance, either by exploiting a local API or by gaining access to the same network or user account that can publish notifications. Once the notification is displayed, the attacker can execute arbitrary code with the privileges of the application user.

Generated by OpenCVE AI on April 28, 2026 at 05:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SiYuan to version 3.6.5 or later, which removes the unvalidated notification rendering and disables the insecure Electron configuration.
  • If an upgrade is temporarily infeasible, reconfigure the Electron main process to set nodeIntegration to false, enable contextIsolation, and enforce webSecurity to limit access from injected scripts.
  • Audit the notification API for unnecessary exposure and restrict its access to trusted users or local network only to mitigate the risk of malicious payloads.

Generated by OpenCVE AI on April 28, 2026 at 05:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Siyuan
Siyuan siyuan
Vendors & Products Siyuan
Siyuan siyuan

Sat, 25 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, SiYuan desktop renders notification messages as raw HTML inside an Electron renderer. The notification route POST /api/notification/pushMsg accepts a user-controlled msg value, forwards it through the backend broadcast layer, and the frontend inserts it into the DOM with insertAdjacentHTML(...) at message.ts. On desktop builds, this is not limited to ordinary XSS. Electron windows are created with nodeIntegration: true, contextIsolation: false, and webSecurity: false at main.js. As a result, JavaScript executed from the notification sink can directly access Node APIs and escalate to desktop code execution. This vulnerability is fixed in 3.6.5.
Title SiYuan Desktop Notification XSS Leads to Electron RCE
Weaknesses CWE-78
CWE-79
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Siyuan Siyuan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-25T01:49:47.322Z

Reserved: 2026-04-20T15:32:33.813Z

Link: CVE-2026-41421

cve-icon Vulnrichment

Updated: 2026-04-25T01:49:42.986Z

cve-icon NVD

Status : Deferred

Published: 2026-04-24T19:17:13.740

Modified: 2026-04-27T18:53:00.053

Link: CVE-2026-41421

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T06:00:09Z

Weaknesses