{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40322", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T21:41:54.505Z", "datePublished": "2026-04-16T23:00:07.719Z", "dateUpdated": "2026-04-16T23:00:07.719Z"}, "containers": {"cna": {"title": "SiYuan: Mermaid `javascript:` Link Injection Leads to Stored XSS and Electron RCE", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-x63q-3rcj-hhp5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-x63q-3rcj-hhp5"}, {"name": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.4"}], "affected": [{"vendor": "siyuan-note", "product": "siyuan", "versions": [{"version": "< 3.6.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-16T23:00:07.719Z"}, "descriptions": [{"lang": "en", "value": "SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, Mermaid diagrams are rendered with securityLevel set to \"loose\", and the resulting SVG is injected into the DOM via innerHTML. This allows attacker-controlled javascript: URLs in Mermaid code blocks to survive into the rendered output. On desktop builds using Electron, windows are created with nodeIntegration enabled and contextIsolation disabled, escalating the stored XSS to arbitrary code execution when a victim opens a note containing a malicious Mermaid block and clicks the rendered diagram node. This issue has been fixed in version 3.6.4."}], "source": {"advisory": "GHSA-x63q-3rcj-hhp5", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, Mermaid diagrams are rendered with securityLevel set to \"loose\", and the resulting SVG is injected into the DOM via innerHTML. This allows attacker-controlled javascript: URLs in Mermaid code blocks to survive into the rendered output. On desktop builds using Electron, windows are created with nodeIntegration enabled and contextIsolation disabled, escalating the stored XSS to arbitrary code execution when a victim opens a note containing a malicious Mermaid block and clicks the rendered diagram node. This issue has been fixed in version 3.6.4."}], "id": "CVE-2026-40322", "lastModified": "2026-04-16T23:16:33.733", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-16T23:16:33.733", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.4"}, {"source": "security-advisories@github.com", "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-x63q-3rcj-hhp5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T02:51:10.090149+00:00", "value": {"mitigation_remediation": ["Upgrade to SiYuan version 3.6.4 or newer, which removes the Mermaid rendering flag and sanitizes the SVG output.", "For notes created before the fix, review and delete any Mermaid blocks that contain javascript: links or other suspicious content.", "If you use a custom Electron build, ensure that nodeIntegration is disabled and contextIsolation is enabled to reduce the risk of XSS escalation.", "After applying the patch, verify that the securityLevel is set to \"strict\" in the application settings to prevent future unsafe rendering."], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution via Stored XSS"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to the SiYuan Note application, specifically versions 3.6.3 and earlier. Users running these releases on any platform that uses the desktop Electron build are at risk.", "description_and_impact": "SiYuan renders Mermaid diagrams with a securityLevel of \"loose\" and injects the resulting SVG into the page through innerHTML. This allows Mermaid code blocks containing attacker\u2011controlled javascript: URLs to persist in the rendered output. When a note containing such a diagram is opened in the desktop Electron version, the application creates a window with nodeIntegration enabled and contextIsolation disabled, turning the stored XSS into arbitrary code execution. This flaw can lead to full compromise of the victim machine if they open a malicious note and interact with the diagram.", "risk_and_exploitability": "The flaw scores a CVSS of 9.1, indicating critical severity. Although EPSS data is not available, the lack of mitigations in affected releases and the need for a victim to open a note suggest a non\u2011negligible exploitation probability. The issue is not listed in CISA\u2019s KEV catalog, but its high score and the absence of broader protective controls mean that organizations should treat it as critical. The attack requires a crafted Mermaid diagram containing a javascript: link; once a user opens or clicks the diagram in the Electron environment, the stored XSS escalates to code execution because of the insecure configuration of nodeIntegration and contextIsolation."}}}}, "created": "2026-04-17T03:00:08.439145+00:00", "updated": "2026-04-17T03:00:08.439165+00:00", "vendors": []}