CVE 9.4 CRITICAL

SiYuan: Stored XSS via Attribute View name to Electron renderer RCE in SiYuan_CVE-2026-44670

May 14, 2026 invoker category_cve
9.4 / 10
CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Description

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the kernel stores Attribute View (AV / database) names without any HTML escape, then a render template uses raw strings.ReplaceAll(tpl, "${avName}", nodeAvName) to embed the name in HTML before pushing to all clients via WebSocket. Three independent client paths (render.ts:120 → outerHTML, Title.ts:401 → innerHTML, transaction.ts:559 → innerHTML) consume the value without escaping. Because the main BrowserWindow runs nodeIntegration:true, contextIsolation:false, webSecurity:false (app/electron/main.js:407-411), HTML injection in the renderer becomes Node.js code execution. This vulnerability is fixed in 3.7.0.

AI Analysis

Stored XSS via Attribute View name to Electron renderer RCE

Basic Information

ID CVE-2026-44670
Source GitHub_M
Published May 14, 2026 at 18:25

Affected Product

Vendor siyuan-note
Product siyuan
Version < 3.7.0
Affected Versions siyuan-note siyuan < 3.7.0

CWE Classification

CWE-79 CWE-94 CWE-1188

AI Assessment

AI Score 9.4 / 10
AI Severity Critical
Vendor siyuan-note
Product SiYuan
Version < 3.7.0

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.