CVE-2026-40322

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.4

Description Mermaid diagrams are rendered with the securityLevel set to "loose", and the resulting SVG is injected into the DOM via innerHTML. This allows attacker-controlled javascript: URLs in Mermaid code blocks to be included in the rendered output. In desktop builds using Electron, windows are created with nodeIntegration enabled and contextIsolation disabled, which allows a stored cross-site scripting (XSS) attack to escalate to arbitrary code execution when a user opens a note containing a malicious Mermaid block and clicks the rendered diagram node.

Recommendations Update to version 3.6.4.