SiYuan: Mermaid `javascript:` Link Injection Leads to Stored XSS and...

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Description

SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, Mermaid diagrams are rendered with securityLevel set to "loose", and the resulting SVG is injected into the DOM via innerHTML. This allows attacker-controlled javascript: URLs in Mermaid code blocks to survive into the rendered output. On desktop builds using Electron, windows are created with nodeIntegration enabled and contextIsolation disabled, escalating the stored XSS to arbitrary code execution when a victim opens a note containing a malicious Mermaid block and clicks the rendered diagram node. This issue has been fixed in version 3.6.4.

AI Analysis

Stored XSS and arbitrary code execution via Mermaid diagram injection

Basic Information

ID CVE-2026-40322

Source GitHub_M

Published Apr 16, 2026 at 23:00

Affected Product

Vendor siyuan-note

Product siyuan

Version < 3.6.4

Affected Versions siyuan-note siyuan < 3.6.4

CWE Classification

CWE-79 CWE-94

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor siyuan-note

Product SiYuan

Version 3.6.3 and below

References

{
    "lastseen": "",
    "description": "SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, Mermaid diagrams are rendered with securityLevel set to \"loose\", and the resulting SVG is injected into the DOM via innerHTML. This allows attacker-controlled javascript: URLs in Mermaid code blocks to survive into the rendered output. On desktop builds using Electron, windows are created with nodeIntegration enabled and contextIsolation disabled, escalating the stored XSS to arbitrary code execution when a victim opens a note containing a malicious Mermaid block and clicks the rendered diagram node. This issue has been fixed in version 3.6.4.",
    "published": "2026-04-16T23:00:07.719Z",
    "modified": "2026-04-16T23:00:07.719Z",
    "type": "cve",
    "title": "SiYuan: Mermaid `javascript:` Link Injection Leads to Stored XSS and Electron RCE",
    "source": "GitHub_M",
    "references": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-x63q-3rcj-hhp5\nhttps://github.com/siyuan-note/siyuan/releases/tag/v3.6.4",
    "id": "CVE-2026-40322",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79",
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "siyuan-note siyuan < 3.6.4",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "siyuan",
    "version": "< 3.6.4",
    "vendor": "siyuan-note",
    "ai_description": "Stored XSS and arbitrary code execution via Mermaid diagram injection",
    "ai_severity": "Critical",
    "ai_vendor": "siyuan-note",
    "ai_product": "SiYuan",
    "ai_version": "3.6.3 and below",
    "ai_score": 9.1
}

SiYuan: Mermaid `javascript:` Link Injection Leads to Stored XSS and Electron RCE_CVE-2026-40322