{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39846", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T19:13:20.378Z", "datePublished": "2026-04-07T21:34:28.517Z", "dateUpdated": "2026-04-08T15:23:37.827Z"}, "containers": {"cna": {"title": "SiYuan affected by Remote Code Execution in the Electron desktop client via stored XSS in synced table captions", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-phhp-9rm9-6gr2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-phhp-9rm9-6gr2"}], "affected": [{"vendor": "siyuan-note", "product": "siyuan", "versions": [{"version": "< 3.6.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T21:34:28.517Z"}, "descriptions": [{"lang": "en", "value": "SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another user can trigger remote code execution in the SiYuan Electron desktop client. The root cause is that table caption content is stored without safe escaping and later unescaped into rendered HTML, creating a stored XSS sink. Because the desktop renderer runs with nodeIntegration enabled and contextIsolation disabled, attacker-controlled JavaScript executes with access to Node.js APIs. In practice, an attacker can import a crafted note into a synced workspace, wait for the victim to sync, and achieve code execution when the victim opens the note. This vulnerability is fixed in 3.6.4."}], "source": {"advisory": "GHSA-phhp-9rm9-6gr2", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-phhp-9rm9-6gr2", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T15:23:34.478628Z", "id": "CVE-2026-39846", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:23:37.827Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39846", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T15:23:34.478628Z"}}}], "references": [{"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-phhp-9rm9-6gr2", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:23:29.101Z"}}], "cna": {"title": "SiYuan affected by Remote Code Execution in the Electron desktop client via stored XSS in synced table captions", "source": {"advisory": "GHSA-phhp-9rm9-6gr2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "siyuan-note", "product": "siyuan", "versions": [{"status": "affected", "version": "< 3.6.4"}]}], "references": [{"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-phhp-9rm9-6gr2", "name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-phhp-9rm9-6gr2", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another user can trigger remote code execution in the SiYuan Electron desktop client. The root cause is that table caption content is stored without safe escaping and later unescaped into rendered HTML, creating a stored XSS sink. Because the desktop renderer runs with nodeIntegration enabled and contextIsolation disabled, attacker-controlled JavaScript executes with access to Node.js APIs. In practice, an attacker can import a crafted note into a synced workspace, wait for the victim to sync, and achieve code execution when the victim opens the note. This vulnerability is fixed in 3.6.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T21:34:28.517Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39846", "state": "PUBLISHED", "dateUpdated": "2026-04-08T15:23:37.827Z", "dateReserved": "2026-04-07T19:13:20.378Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T21:34:28.517Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another user can trigger remote code execution in the SiYuan Electron desktop client. The root cause is that table caption content is stored without safe escaping and later unescaped into rendered HTML, creating a stored XSS sink. Because the desktop renderer runs with nodeIntegration enabled and contextIsolation disabled, attacker-controlled JavaScript executes with access to Node.js APIs. In practice, an attacker can import a crafted note into a synced workspace, wait for the victim to sync, and achieve code execution when the victim opens the note. This vulnerability is fixed in 3.6.4."}], "id": "CVE-2026-39846", "lastModified": "2026-04-08T21:26:35.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T22:16:23.597", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-phhp-9rm9-6gr2"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-phhp-9rm9-6gr2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.6.4)"}}], "enrichment": {"confidence": 84.0, "confidence_source": "matching", "scores": [{"score": 84.0, "source": "matching"}]}, "original": {"product": "siyuan", "source": "cna", "vendor": "siyuan-note"}, "product": "siyuan", "vendor": "siyuan"}], "analysis": {"en": {"generated_at": "2026-04-07T23:46:53.395418+00:00", "value": {"mitigation_remediation": ["Apply the patch by upgrading SiYuan to version 3.6.4 or later", "If upgrading is not immediately possible, refrain from opening or syncing notes that originated from unknown or untrusted collaborators", "Consider disabling node integration or enabling context isolation in the Electron client if the application configuration allows it", "Verify that the latest version signature matches the vendor\u2019s official release to ensure no tampering has occurred"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All users running SiYuan Electron desktop client editions prior to 3.6.4 are affected. The vulnerability is present in the Siyuan application bundled with the Electron framework as sold by the vendor Siyuan\u2011Note. It is fixed starting with version 3.6.4, which is the only version that has the proper escaping implemented.", "description_and_impact": "SiYuan is a personal knowledge management system that uses an Electron desktop client. Before version 3.6.4 a table caption entered in a note is stored without proper escaping. When the note is rendered, the caption data is unescaped into HTML, creating a stored cross\u2011site scripting sink. Because the Electron renderer runs with Node.js integration enabled and context isolation disabled, the malicious JavaScript runs with full Node.js privileges, allowing an attacker to execute arbitrary code on the victim\u2019s machine. This single flaw provides complete compromise of the desktop application.", "risk_and_exploitability": "The CVSS score of 9.1 indicates a critical severity. The CVE is not listed in the CISA KEV catalog and no EPSS score is available, so the current public exploitation probability is unknown. The expected attack vector is remote: an attacker must first create a malicious note with a crafted table caption and then cause a victim to sync and open that note, for example by sharing a workspace. The vulnerability requires the victim to have the updated Electron client running with node integration; if a user is running a patched or newer version or has disabled node integration, exploitation is blocked."}}}}, "created": "2026-04-08T19:45:28.059336+00:00", "updated": "2026-04-09T08:23:01.841245+00:00", "vendors": ["siyuan", "siyuan$PRODUCT$siyuan"]}