Skip to main content

SiYuan CVE-2026-59855

HIGH
Basic XSS (CWE-80)
2026-07-09 GitHub_M
8.6
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Remotely deliverable content but requires the victim to open the crafted asset (UI:R); no attacker privileges (PR:N); Electron renderer RCE yields high C/I/A; scope unchanged as impact stays within the app's OS context.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 09, 2026 - 23:23 vuln.today

DescriptionCVE.org

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, Asset.render in app/src/asset/index.ts interpolates the unsanitized this.path value into HTML assigned to innerHTML, allowing a crafted asset link containing a double quote to break out of the src attribute, inject an event handler, and execute JavaScript that can run OS commands in the Electron renderer. This issue is fixed in versions 3.7.1-alpha.2 and 3.7.1.

AnalysisAI

Cross-site scripting escalating to remote code execution in SiYuan (open-source personal knowledge management) before 3.7.1 lets an attacker embed a crafted asset link whose path contains a double quote, breaking out of an image src attribute in Asset.render to inject an event handler. Because SiYuan runs in an Electron renderer with OS-level capabilities, the injected JavaScript can execute arbitrary operating-system commands on the victim's machine once the malicious asset is opened. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft asset link with double-quote payload
Delivery
Deliver via shared or imported document
Exploit
Victim opens asset in SiYuan
Execution
Path interpolated into innerHTML, handler injected
Persist
JavaScript runs in Electron renderer
Impact
Execute OS commands on host

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to open or render a crafted asset link - an asset whose this.path value contains a double quote to escape the src attribute of the generated <img>/asset HTML and inject an event handler - inside the SiYuan Electron desktop client prior to 3.7.1. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 base score is 8.6 with vector AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H - network reachable, low complexity, no privileges, but active user interaction required, with high impact to confidentiality, integrity and availability of the vulnerable system. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a SiYuan document containing an asset link whose path includes a double quote plus an injected event handler, then shares it (e.g., a community template, exported note, or shared workspace). When the victim opens the document in the SiYuan desktop app, Asset.render writes the malformed path into innerHTML, the injected handler fires, and JavaScript runs in the Electron renderer to execute OS commands on the victim's machine. …
Remediation Vendor-released patch: upgrade to SiYuan 3.7.1 (or 3.7.1-alpha.2), which sanitizes the asset path before it is written to innerHTML; the fix is commit efbe3a557720034782643e55c9e0282530cb6bbb (https://github.com/siyuan-note/siyuan/commit/efbe3a557720034782643e55c9e0282530cb6bbb) and is described in advisory GHSA-w3gq-5j72-36vc. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all SiYuan deployments and notify users to avoid opening asset links from external sources. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Siyuan

View all
CVE-2024-53507 CRITICAL POC
9.8 Nov 29

A SQL injection vulnerability was discovered in Siyuan 3.1.11 in /getHistoryItems. Rated critical severity (CVSS 9.8), t

CVE-2024-53506 CRITICAL POC
9.8 Nov 29

A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the ids array parameter in /batchGetBlockAttrs. R

CVE-2024-53505 CRITICAL POC
9.8 Nov 29

A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the id parameter at /getAssetContent. Rated criti

CVE-2024-53504 CRITICAL POC
9.8 Nov 29

A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the notebook parameter in /searchHistory. Rated c

CVE-2026-23852 CRITICAL POC
9.6 Jan 19

SiYuan personal knowledge management system prior to 3.5.4 has a stored XSS vulnerability (CVSS 9.6) that allows code ex

CVE-2026-54069 CRITICAL POC
9.2 Jun 24

Origin-validation bypass in SiYuan Note (open-source personal knowledge management) before 3.7.0 lets any installed Chro

CVE-2026-29183 CRITICAL POC
9.3 Mar 06

Reflected XSS in SiYuan knowledge management before 3.5.9.

CVE-2026-25539 CRITICAL POC
9.1 Feb 04

SiYuan knowledge management system prior to 3.5.5 has a path traversal in /api/file/copyFile allowing arbitrary file ope

CVE-2024-2692 CRITICAL POC
9.0 Apr 04

SiYuan version 3.0.3 allows executing arbitrary commands on the server. Rated critical severity (CVSS 9.0), this vulnera

CVE-2026-29073 HIGH POC
8.8 Mar 06

SQL injection in SiYuan prior to version 3.6.0 allows any authenticated user, including those with read-only access, to

CVE-2026-34605 HIGH POC
8.6 Mar 31

Cross-site scripting (XSS) in SiYuan personal knowledge management system versions 3.6.0-3.6.1 allows remote attackers t

CVE-2026-54066 HIGH POC
7.5 Jun 24

Arbitrary file disclosure in SiYuan personal knowledge management system before 3.7.0 lets an unauthenticated remote att

Share

CVE-2026-59855 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy