CVE-2026-39846
Last modified
CVE-2026-39846 is a critical-severity vulnerability rated 9/10 on the CVSS scale. SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another user can trigger remote code execution in the SiYuan Electron desktop client. EPSS estimates a 0.54% chance of exploitation in the next 30 days.
Description
SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another user can trigger remote code execution in the SiYuan Electron desktop client. The root cause is that table caption content is stored without safe escaping and later unescaped into rendered HTML, creating a stored XSS sink. Because the desktop renderer runs with nodeIntegration enabled and contextIsolation disabled, attacker-controlled JavaScript executes with access to Node.js APIs. In practice, an attacker can import a crafted note into a synced workspace, wait for the victim to sync, and achieve code execution when the victim opens the note. This vulnerability is fixed in 3.6.4.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| B3log | Siyuan | < 3.6.4 |
References
- https://github.com/siyuan-note/siyuan/security/advisories/GHSA-phhp-9rm9-6gr2Exploit, Vendor Advisory
- https://github.com/siyuan-note/siyuan/security/advisories/GHSA-phhp-9rm9-6gr2Exploit, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-39846?
How severe is CVE-2026-39846?
How do I fix CVE-2026-39846?
Are you affected by CVE-2026-39846?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST