CVE-2026-39846

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.4

Description SiYuan is susceptible to remote code execution (RCE) via a stored cross-site scripting (XSS) vulnerability in table captions. The issue arises because table caption content is stored without proper escaping and later unescaped into rendered HTML, creating an XSS sink. The SiYuan Electron desktop client's renderer is configured with nodeIntegration enabled and contextIsolation disabled, allowing attacker-controlled JavaScript to execute with access to Node.js APIs. An attacker can import a crafted note into a synced workspace, and upon the victim syncing and opening the note, code execution can be achieved. The vulnerability is triggered by crafted table captions containing encoded HTML, such as <img src=x onerror=...>, which are rendered as live DOM elements. A payload like require('child process').exec('calc') can be used to execute commands on the victim's machine.

Recommendations Update to version 3.6.4 or later.