Skip to main content

Microsoft CVE-2026-40107

| EUVDEUVD-2026-21148 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-09 security-advisories@github.com GHSA-w95v-4h65-j455
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 16, 2026 - 20:37 vuln.today
cvss_changed
Patch released
Apr 10, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 09, 2026 - 21:22 euvd
EUVD-2026-21148
Analysis Generated
Apr 09, 2026 - 21:22 vuln.today
CVE Published
Apr 09, 2026 - 21:16 nvd
HIGH 8.7

DescriptionGitHub Advisory

SiYuan is a personal knowledge management system. Prior to 3.6.4, SiYuan configures Mermaid.js with securityLevel: "loose" and htmlLabels: true. In this mode, <img> tags with src attributes survive Mermaid's internal DOMPurify and land in SVG <foreignObject> blocks. The SVG is injected via innerHTML with no secondary sanitization. When a victim opens a note containing a malicious Mermaid diagram, the Electron client fetches the URL. On Windows, a protocol-relative URL (//attacker.com/image.png) resolves as a UNC path (\\attacker.com\image.png). Windows attempts SMB authentication automatically, sending the victim's NTLMv2 hash to the attacker. This vulnerability is fixed in 3.6.4.

AnalysisAI

NTLM credential theft in SiYuan personal knowledge management system (prior to 3.6.4) allows remote attackers to capture Windows user password hashes without authentication or user interaction. Misconfigured Mermaid.js rendering with securityLevel:loose permits unsanitized <img> tags within SVG foreignObject blocks. Protocol-relative URLs in malicious Mermaid diagrams trigger automatic SMB authentication on Windows, transmitting NTLMv2 hashes to attacker-controlled servers when victims open compromised notes. Electron client processes the SVG via innerHTML without secondary sanitization, enabling SSRF to UNC paths.

Technical ContextAI

Root cause combines CWE-918 SSRF with unsafe Mermaid.js configuration. securityLevel:loose bypasses DOMPurify restrictions; htmlLabels:true enables HTML injection in SVG foreignObject elements. innerHTML injection creates unvalidated network requests. Windows SMB auto-authentication converts protocol-relative URLs (//attacker.com) to UNC paths (\\attacker.com), forcing NTLM handshake without user prompt. CPE covers Electron-based desktop clients on all platforms (cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*).

RemediationAI

Vendor-released patch: upgrade to SiYuan 3.6.4 immediately. Version 3.6.4 enforces stricter Mermaid.js securityLevel configuration and implements secondary sanitization of SVG content before DOM injection. Users unable to upgrade should disable Mermaid diagram rendering in application settings and avoid opening untrusted notes until patched. Windows environments face highest risk; consider network-level blocking of outbound SMB (ports 445, 139) to mitigate hash exfiltration. For technical details and vendor confirmation, review the official security advisory at https://github.com/siyuan-note/siyuan/security/advisories/GHSA-w95v-4h65-j455. No public exploit identified at time of analysis. Authentication requirement: unauthenticated (CVSS PR:N).

Share

CVE-2026-40107 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy