Skip to main content

Node.js CVE-2026-39846

| EUVDEUVD-2026-19973 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-04-07 GitHub_M GHSA-phhp-9rm9-6gr2
9.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.0 CRITICAL
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 04:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 16, 2026 - 04:50 vuln.today
cvss_changed
Patch released
Apr 08, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 07, 2026 - 22:16 euvd
EUVD-2026-19973
Analysis Generated
Apr 07, 2026 - 22:16 vuln.today
CVE Published
Apr 07, 2026 - 21:34 nvd
CRITICAL 9.0

DescriptionGitHub Advisory

SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another user can trigger remote code execution in the SiYuan Electron desktop client. The root cause is that table caption content is stored without safe escaping and later unescaped into rendered HTML, creating a stored XSS sink. Because the desktop renderer runs with nodeIntegration enabled and contextIsolation disabled, attacker-controlled JavaScript executes with access to Node.js APIs. In practice, an attacker can import a crafted note into a synced workspace, wait for the victim to sync, and achieve code execution when the victim opens the note. This vulnerability is fixed in 3.6.4.

AnalysisAI

Remote code execution in SiYuan desktop client (Electron-based) versions prior to 3.6.4 allows authenticated attackers to execute arbitrary code on victim systems via malicious notes propagated through workspace sync. Stored XSS in table caption fields escalates to RCE due to nodeIntegration enabled and contextIsolation disabled in Electron renderer. CVSS 9.0 (Critical) with scope change indicates escape from browser context. No active exploitation confirmed (not in CISA KEV). EPSS score 0.14% suggests low current exploitation probability. Vendor-released patch: version 3.6.4.

Technical ContextAI

SiYuan is an Electron-based personal knowledge management system with multi-device synchronization. The vulnerability affects the desktop client (cpe:2.3:a:siyuan-note:siyuan) where table caption content undergoes unsafe HTML rendering. The root cause is CWE-79 (Cross-Site Scripting) combined with insecure Electron configuration. In Electron applications, nodeIntegration:true grants renderer processes access to Node.js APIs (filesystem, child_process, native modules), while contextIsolation:false removes the security boundary between preload scripts and web content. These deprecated settings, intended for legacy compatibility, allow JavaScript XSS payloads to directly invoke require() and execute system commands. The sync mechanism propagates malicious notes between users' workspaces, turning a local XSS into a wormable attack vector. This represents a common Electron security anti-pattern where web content security assumptions (XSS = browser sandbox escape only) fail catastrophically when combined with Node.js API access.

RemediationAI

Upgrade immediately to SiYuan version 3.6.4 or later, which implements proper HTML escaping for table caption content and likely addresses the insecure Electron configuration (nodeIntegration/contextIsolation settings). Download from official GitHub releases at https://github.com/siyuan-note/siyuan/releases. For environments where immediate upgrade is not feasible, implement compensating controls: disable workspace sync functionality to prevent propagation of malicious notes (eliminates attack vector but breaks collaboration features-acceptable only for single-user deployments), restrict note import capabilities to trusted sources only through access controls, and deploy endpoint detection monitoring for suspicious child process creation from Electron renderer processes (siyuan.exe spawning cmd.exe, powershell.exe, or bash-high false-positive risk in legitimate automation scenarios). Network-level controls are ineffective since the malicious content arrives via legitimate sync protocol. Administrative note review before sync is impractical at scale. No workaround fully mitigates risk-upgrade to 3.6.4 is the only complete fix.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-39846 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy