CVE-2026-41421

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.5

Description SiYuan desktop renders notification messages as raw HTML within an Electron renderer. The API endpoint '/api/notification/pushMsg' accepts a user-controlled msg value, which is forwarded through the backend broadcast layer and inserted into the DOM using the insertAdjacentHTML() function in message.ts. Because Electron windows are configured with nodeIntegration: true, contextIsolation: false, and webSecurity: false in main.js, JavaScript executed via this sink can access Node APIs, leading to desktop code execution.

Recommendations Update to version 3.6.5.