SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset...

9.9 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan contains a stored cross-site scripting (XSS) vulnerability in the Attribute View (database) asset cell renderer that escalates to remote code execution (RCE) in the Electron desktop client. This vulnerability is fixed in 3.7.0.

AI Analysis

Stored cross-site scripting (XSS) vulnerability in the Attribute View (database) asset cell renderer that escalates to remote code execution (RCE) in the Electron desktop client

Basic Information

ID CVE-2026-50551

Source GitHub_M

Published Jun 24, 2026 at 21:20

Affected Product

Vendor siyuan-note

Product siyuan

Version < 3.7.0

Affected Versions siyuan-note siyuan < 3.7.0

CWE Classification

CWE-79

AI Assessment

AI Score 9.9 / 10

AI Severity Critical

Vendor siyuan-note

Product SiYuan

Version < 3.7.0

References

github.com /siyuan-note/siyuan/security/advisories/GHSA-56mp-4f3v-fgj2

{
    "lastseen": "",
    "description": "SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan contains a stored cross-site scripting (XSS) vulnerability in the Attribute View (database) asset cell renderer that escalates to remote code execution (RCE) in the Electron desktop client. This vulnerability is fixed in 3.7.0.",
    "published": "2026-06-24T21:20:42.004Z",
    "modified": "2026-06-24T21:20:42.004Z",
    "type": "cve",
    "title": "SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content",
    "source": "GitHub_M",
    "references": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-56mp-4f3v-fgj2",
    "id": "CVE-2026-50551",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "siyuan-note siyuan < 3.7.0",
    "sourceHref": "",
    "cvss": {
        "score": 9.9,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "siyuan",
    "version": "< 3.7.0",
    "vendor": "siyuan-note",
    "ai_description": "Stored cross-site scripting (XSS) vulnerability in the Attribute View (database) asset cell renderer that escalates to remote code execution (RCE) in the Electron desktop client",
    "ai_severity": "Critical",
    "ai_vendor": "siyuan-note",
    "ai_product": "SiYuan",
    "ai_version": "< 3.7.0",
    "ai_score": 9.9
}

SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content_CVE-2026-50551