Vulnerability Description
SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another user can trigger remote code execution in the SiYuan Electron desktop client. The root cause is that table caption content is stored without safe escaping and later unescaped into rendered HTML, creating a stored XSS sink. Because the desktop renderer runs with nodeIntegration enabled and contextIsolation disabled, attacker-controlled JavaScript executes with access to Node.js APIs. In practice, an attacker can import a crafted note into a synced workspace, wait for the victim to sync, and achieve code execution when the victim opens the note. This vulnerability is fixed in 3.6.4.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| B3Log | Siyuan | < 3.6.4 |
Related Weaknesses (CWE)
References
- https://github.com/siyuan-note/siyuan/security/advisories/GHSA-phhp-9rm9-6gr2ExploitVendor Advisory
- https://github.com/siyuan-note/siyuan/security/advisories/GHSA-phhp-9rm9-6gr2ExploitVendor Advisory
FAQ
What is CVE-2026-39846?
CVE-2026-39846 is a vulnerability with a CVSS score of 9.0 (CRITICAL). SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another user can trigger remote code execution in the SiYuan Electron desktop client. The root cause is tha...
How severe is CVE-2026-39846?
CVE-2026-39846 has been rated CRITICAL with a CVSS base score of 9.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-39846?
Check the references section above for vendor advisories and patch information. Affected products include: B3Log Siyuan.