EUVD-2026-19973
GHSA-phhp-9rm9-6gr2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
4Description
SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another user can trigger remote code execution in the SiYuan Electron desktop client. The root cause is that table caption content is stored without safe escaping and later unescaped into rendered HTML, creating a stored XSS sink. Because the desktop renderer runs with nodeIntegration enabled and contextIsolation disabled, attacker-controlled JavaScript executes with access to Node.js APIs. In practice, an attacker can import a crafted note into a synced workspace, wait for the victim to sync, and achieve code execution when the victim opens the note. This vulnerability is fixed in 3.6.4.
Analysis
Remote code execution in SiYuan Electron desktop client (prior to version 3.6.4) allows authenticated attackers to execute arbitrary code on victim systems through maliciously crafted notes synced across workspaces. The vulnerability chains a stored XSS flaw in table caption rendering with insecure Electron configuration (nodeIntegration enabled, contextIsolation disabled), elevating DOM-based script injection to full Node.js API access. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit all SiYuan installations across your organization and document current versions in use; immediately restrict syncing of notes from external or untrusted workspaces until patched. Within 7 days: Contact SiYuan development team for patch timeline confirmation; if patch releases, deploy version 3.6.4 or later to all affected systems. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today