SiYuan includes a stored cross‑site scripting weakness in the Attribute View asset cell renderer that allows an attacker who can inject data into the database to escape the page context. Because the desktop Electron client renders this data without proper sanitization, the XSS can be leveraged to execute arbitrary JavaScript in the user’s process, giving the attacker full control over the machine running the application. The flaw is a classic example of CWE‑79 and the CVSS score of 9.9 reflects the critical combination of high impact and full user interaction of the Electron desktop client.

All installations of the SiYuan personal knowledge management system running a version earlier than 3.7.0 are affected. The product is open‑source and maintained on GitHub, with the advisory listing only this single product.

The vulnerability is rated CVSS 9.9, indicating an exploitable remote code execution path with limited prerequisites—an attacker only needs to have a means to insert malicious content into the attribute view cell, which can be done via standard user actions if the interface allows it. No EPSS score is available, but the high CVSS makes it a high‑priority risk. The flaw has not yet appeared in CISA’s KEV catalog, but the lack of a KEV listing does not change the fact that it is a severe exploit path when the desktop Electron client is used.