What is the CVSS score of CVE-2026-39846?

CVE-2026-39846 has a CVSS 3.1 base score of 9.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Node.js are affected by CVE-2026-39846?

SiYuan desktop client versions before 3.6.4 contain a critical remote code execution vulnerability affecting authenticated users whose workspace sync receives malicious notes.. A patch is available.

Node.js CVE-2026-39846

EUVD-2026-19973 CRITICAL

Cross-site Scripting (XSS) (CWE-79)

2026-04-07 GitHub_M

GHSA-phhp-9rm9-6gr2

XSS RCE Node.js

9.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 04:58 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 16, 2026 - 04:50 vuln.today

cvss_changed

Patch released

Apr 08, 2026 - 20:30 nvd

Patch available

EUVD ID Assigned

Apr 07, 2026 - 22:16 euvd

EUVD-2026-19973

Analysis Generated

Apr 07, 2026 - 22:16 vuln.today

CVE Published

Apr 07, 2026 - 21:34 nvd

CRITICAL 9.0

DescriptionNVD

SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another user can trigger remote code execution in the SiYuan Electron desktop client. The root cause is that table caption content is stored without safe escaping and later unescaped into rendered HTML, creating a stored XSS sink. Because the desktop renderer runs with nodeIntegration enabled and contextIsolation disabled, attacker-controlled JavaScript executes with access to Node.js APIs. In practice, an attacker can import a crafted note into a synced workspace, wait for the victim to sync, and achieve code execution when the victim opens the note. This vulnerability is fixed in 3.6.4.

AnalysisAI

Remote code execution in SiYuan desktop client (Electron-based) versions prior to 3.6.4 allows authenticated attackers to execute arbitrary code on victim systems via malicious notes propagated through workspace sync. Stored XSS in table caption fields escalates to RCE due to nodeIntegration enabled and contextIsolation disabled in Electron renderer. …

RemediationAI

Within 24 hours: Identify all SiYuan desktop client deployments and current versions via asset inventory or endpoint management tools. Within 7 days: Deploy SiYuan desktop client version 3.6.4 or later to all affected systems; prioritize users with shared workspace access or cloud sync enabled. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-39846 vulnerability details – vuln.today

Back

Node.js CVE-2026-39846

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code