CVE-2026-44588

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.7.0

Description An issue exists in the tooltip mouseover handler where the software reads the aria-label attribute and processes it using decodeURIComponent before assigning the result to messageElement.innerHTML. The encoder escapeAriaLabel() only handles standard HTML special characters and ignores %XX URL-escapes. Consequently, a document title containing URL-encoded characters (e.g., %3Cimg src=x onerror=...%3E) bypasses the encoder and is converted into literal HTML tags by decodeURIComponent during the rendering process. When assigned to innerHTML, the HTML parser executes the injected script.

Because the renderer is configured with nodeIntegration: true, contextIsolation: false, and webSecurity: false, the injected handler can access require('child process'), leading to arbitrary code execution on the victim's desktop. This can be triggered by hovering over search results, file-tree tooltips, or AV column names and descriptions.

Recommendations Update to version 3.7.0. As a temporary workaround, restrict the use of the innerHTML property in app/src/dialog/tooltip.ts by replacing it with textContent to prevent HTML parsing of tooltip messages. Avoid using decodeURIComponent on generic aria-label paths in app/src/block/popover.ts.