CVE-2026-39846

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.4

Description SiYuan, a personal knowledge management system, is susceptible to remote code execution in the Electron desktop client prior to version 3.6.4. This occurs because table caption content is stored and rendered in HTML without proper escaping, creating a stored cross-site scripting (XSS) vulnerability. The desktop renderer's configuration, with nodeIntegration enabled and contextIsolation disabled, allows attacker-controlled JavaScript to execute with full access to Node.js APIs. An attacker can exploit this by importing a crafted note into a synced workspace, which then executes code on the victim's machine when the note is opened.

Recommendations Update to version 3.6.4 or later.