Skip to main content

SiYuan EUVD-2026-25614

| CVE-2026-41421 HIGH
OS Command Injection (CWE-78)
2026-04-24 GitHub_M
XSS RCE Command Injection Microsoft
8.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Patch released
Apr 27, 2026 - 18:53 nvd
Patch available
Re-analysis Queued
Apr 25, 2026 - 03:22 vuln.today
cvss_changed
Patch available
Apr 24, 2026 - 21:02 EUVD
Analysis Generated
Apr 24, 2026 - 19:45 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 19:15 euvd
EUVD-2026-25614
Analysis Generated
Apr 24, 2026 - 19:15 vuln.today
CVE Published
Apr 24, 2026 - 18:53 nvd
HIGH 8.8

DescriptionNVD

SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, SiYuan desktop renders notification messages as raw HTML inside an Electron renderer. The notification route POST /api/notification/pushMsg accepts a user-controlled msg value, forwards it through the backend broadcast layer, and the frontend inserts it into the DOM with insertAdjacentHTML(...) at message.ts. On desktop builds, this is not limited to ordinary XSS. Electron windows are created with nodeIntegration: true, contextIsolation: false, and webSecurity: false at main.js. As a result, JavaScript executed from the notification sink can directly access Node APIs and escalate to desktop code execution. This vulnerability is fixed in 3.6.5.

AnalysisAI

Authenticated local users can execute arbitrary code on Windows, macOS, and Linux via HTML injection in SiYuan desktop notification messages through version 3.6.4. The Electron-based desktop application mishandles notification rendering with unsafe settings (nodeIntegration enabled, contextIsolation disabled, webSecurity disabled), escalating XSS to full system compromise. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: identify all endpoints running SiYuan versions up to 3.6.4 using endpoint detection tools or asset inventory. Within 7 days: deploy SiYuan version 3.6.5 or later across all affected endpoints through managed patching; verify completion via inventory systems. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-10044 HIGH POC
8.2 May 28

{filename} endpoint. The flawed traversal guard only rejects forward slashes and '..' sequences, so absolute Windows pat
CVE-2026-40412 CRITICAL
10.0 May 22

Remote code execution in Microsoft Azure Orbital Spatio allows unauthenticated network attackers to upload dangerous fil
CVE-2026-41104 CRITICAL
10.0 May 22

Unsafe deserialization in Microsoft Planetary Computer Pro (Geocatalog) lets a remote unauthenticated attacker craft mal
CVE-2026-23652 CRITICAL
10.0 May 22

Remote code execution in Microsoft Power Pages allows unauthenticated network attackers to inject and execute operating-
CVE-2026-47280 CRITICAL
10.0 May 22

Privilege elevation in Microsoft Azure Resource Manager (ARM) allows remote unauthenticated attackers to bypass authenti

Share

EUVD-2026-25614 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy