Description
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan contains a stored cross-site scripting (XSS) vulnerability in the Attribute View (database) asset cell renderer that escalates to remote code execution (RCE) in the Electron desktop client. This vulnerability is fixed in 3.7.0.
Published: 2026-06-24
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SiYuan is an open‑source personal knowledge management system. Prior to version 3.7.0, it contains a stored cross‑site scripting vulnerability within the Attribute View asset cell renderer that can be leveraged to achieve remote code execution in the Electron desktop client. The flaw escalates from a typical XSS weakness to full control of the user’s machine. The vulnerability is fixed in 3.7.0. With a CVSS score of 9.9, this vulnerability poses a high‑impact remote code execution risk and is a classic example of CWE‑79.

Affected Systems

All installations of the SiYuan personal knowledge management system running a version earlier than 3.7.0 are affected. The product is open‑source and maintained on GitHub, with the advisory listing only this single product.

Risk and Exploitability

The vulnerability is rated CVSS 9.9, indicating an exploitable remote code execution path with limited prerequisites—an attacker only needs to have a means to insert malicious content into the attribute view cell, which can be done via standard user actions if the interface allows it. No EPSS score is available, but the high CVSS makes it a high‑priority risk. The flaw has not yet appeared in CISA’s KEV catalog, but the lack of a KEV listing does not change the fact that it is a severe exploit path when the desktop Electron client is used.

Generated by OpenCVE AI on June 25, 2026 at 00:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to SiYuan version 3.7.0 or later to remove the vulnerable renderer
  • If an upgrade cannot be performed immediately, disable or remove the Attribute View feature from the database or block write access to attribute view cells until a patch is applied
  • Review the application’s content ingestion points and apply input sanitization or statement‑level validation to prevent injection of malicious attributes

Generated by OpenCVE AI on June 25, 2026 at 00:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-56mp-4f3v-fgj2 SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content
History

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Siyuan
Siyuan siyuan
Vendors & Products Siyuan
Siyuan siyuan

Wed, 24 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan contains a stored cross-site scripting (XSS) vulnerability in the Attribute View (database) asset cell renderer that escalates to remote code execution (RCE) in the Electron desktop client. This vulnerability is fixed in 3.7.0.
Title SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T13:20:40.202Z

Reserved: 2026-06-04T20:37:18.654Z

Link: CVE-2026-50551

cve-icon Vulnrichment

Updated: 2026-06-25T13:20:36.686Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T13:15:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')