Impact
SiYuan is an open‑source personal knowledge management system. Prior to version 3.7.0, it contains a stored cross‑site scripting vulnerability within the Attribute View asset cell renderer that can be leveraged to achieve remote code execution in the Electron desktop client. The flaw escalates from a typical XSS weakness to full control of the user’s machine. The vulnerability is fixed in 3.7.0. With a CVSS score of 9.9, this vulnerability poses a high‑impact remote code execution risk and is a classic example of CWE‑79.
Affected Systems
All installations of the SiYuan personal knowledge management system running a version earlier than 3.7.0 are affected. The product is open‑source and maintained on GitHub, with the advisory listing only this single product.
Risk and Exploitability
The vulnerability is rated CVSS 9.9, indicating an exploitable remote code execution path with limited prerequisites—an attacker only needs to have a means to insert malicious content into the attribute view cell, which can be done via standard user actions if the interface allows it. No EPSS score is available, but the high CVSS makes it a high‑priority risk. The flaw has not yet appeared in CISA’s KEV catalog, but the lack of a KEV listing does not change the fact that it is a severe exploit path when the desktop Electron client is used.
OpenCVE Enrichment
Github GHSA