Description
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the kernel stores Attribute View (AV / database) names without any HTML escape, then a render template uses raw strings.ReplaceAll(tpl, "${avName}", nodeAvName) to embed the name in HTML before pushing to all clients via WebSocket. Three independent client paths (render.ts:120 → outerHTML, Title.ts:401 → innerHTML, transaction.ts:559 → innerHTML) consume the value without escaping. Because the main BrowserWindow runs nodeIntegration:true, contextIsolation:false, webSecurity:false (app/electron/main.js:407-411), HTML injection in the renderer becomes Node.js code execution. This vulnerability is fixed in 3.7.0.
Published: 2026-05-14
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows stored cross‑site scripting (XSS) through attribute view names that are not escaped before embedding in HTML. When rendered in the Electron renderer, the injection evolves into Node.js code execution because the application runs with nodeIntegration enabled and context isolation disabled. An attacker can therefore inject arbitrary JavaScript that is executed with full Node privileges, compromising the local environment where the application runs.

Affected Systems

Siyuan, the open‑source personal knowledge management system, running any version prior to 3.7.0. The impacted installation uses an Electron browser window configured with nodeIntegration:true, contextIsolation:false, and webSecurity:false, making the renderer fully exposed to injected code.

Risk and Exploitability

The CVSS score of 9.4 indicates critical severity. Although an EPSS score is not available, the dependence on rendertargets and the lack of user confirmation steps make exploitation highly feasible for anyone who can influence attribute view names. The vulnerability is not listed in the CISA KEV catalog, but the high CVSS and the ease of code execution via standard WebSocket data pathways mean that the attack surface is effectively remote from a local attacker’s perspective. An attacker only requires write access to attribute view names or the ability to influence client‑side rendering, which can occur through any existing authenticated session to the SiYuan kernel.

Generated by OpenCVE AI on May 14, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SiYuan to version 3.7.0 or later, where the attribute view name sanitization and Electron settings are corrected.
  • If an upgrade is not immediately possible, reconfigure the Electron main window to disable nodeIntegration and enable contextIsolation, thereby preventing injected code from executing Node.js APIs.
  • In the meantime, implement client‑side sanitization for attribute view names by applying an HTML escape routine before rendering, or restrict attribute view name modifications to privileged users only.

Generated by OpenCVE AI on May 14, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2h64-c999-c9r6 SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCE
History

Fri, 15 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the kernel stores Attribute View (AV / database) names without any HTML escape, then a render template uses raw strings.ReplaceAll(tpl, "${avName}", nodeAvName) to embed the name in HTML before pushing to all clients via WebSocket. Three independent client paths (render.ts:120 → outerHTML, Title.ts:401 → innerHTML, transaction.ts:559 → innerHTML) consume the value without escaping. Because the main BrowserWindow runs nodeIntegration:true, contextIsolation:false, webSecurity:false (app/electron/main.js:407-411), HTML injection in the renderer becomes Node.js code execution. This vulnerability is fixed in 3.7.0.
Title SiYuan: Stored XSS via Attribute View name to Electron renderer RCE in SiYuan
Weaknesses CWE-1188
CWE-79
CWE-94
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T14:40:39.078Z

Reserved: 2026-05-07T16:20:08.659Z

Link: CVE-2026-44670

cve-icon Vulnrichment

Updated: 2026-05-15T14:39:10.418Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T19:16:38.437

Modified: 2026-05-15T15:16:53.737

Link: CVE-2026-44670

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T21:15:16Z

Weaknesses