SiYuan stored XSS leads to code execution (CVE-2026-40322)

Overview

A critical security vulnerability in the SiYuan personal knowledge management software allows attackers to execute arbitrary code on a victim’s desktop system. The flaw, tracked as CVE-2026-40322, stems from how the application renders diagrams within user notes.

Vulnerability Details

SiYuan versions 3.6.3 and below render Mermaid diagrams with insecure default settings (securityLevel: "loose"). This allows malicious javascript: URLs embedded within a diagram’s code block to be injected directly into the webpage’s Document Object Model (DOM) via innerHTML. When a user opens a note containing a malicious diagram, the attacker’s script executes in the context of the SiYuan application.

The impact is significantly higher on the desktop application built with Electron. These builds have nodeIntegration enabled and contextIsolation disabled. This configuration flaw escalates the stored Cross-Site Scripting (XSS) vulnerability into full arbitrary code execution on the victim’s operating system when they interact with the malicious diagram element.

Impact

An attacker who can create or edit a note containing a Mermaid diagram-for example, by sharing a malicious note file or compromising a knowledge base-can embed code that executes when another user views it. On affected desktop installations, this code execution is not confined to the browser sandbox and can perform actions like installing malware, stealing files, or creating backdoors.

The vulnerability requires user interaction (a victim must open the note and click the diagram node), but the potential consequence is a complete compromise of the local machine. The CVSS v3.1 base score is 9.0 (Critical).

Remediation and Mitigation

The primary and definitive remediation is to update SiYuan to version 3.6.4 or later. This version fixes the insecure Mermaid rendering configuration.

Action Required:

1. Update Immediately: All users of SiYuan, especially the desktop version, must upgrade to version 3.6.4 without delay.
2. Verify Version: Check your current SiYuan version in the application’s settings or about dialog.
3. Exercise Caution: Until updated, be cautious when opening shared note files or data packs from untrusted sources.

There is no effective workaround for this vulnerability; patching is essential.

Security Insight

This vulnerability highlights the compounded risk when web application vulnerabilities are inherited by Electron-based desktop clients without appropriate sandboxing. The chain of a simple stored XSS leading to full local code execution is a recurring pattern, similar to past incidents in other Electron apps where disabled contextIsolation turned script injection into a critical system threat. It underscores the necessity for developers to rigorously apply Electron security best practices, especially contextIsolation: true, by default.

Further Reading

• Russian CTRL Toolkit Hijacks RDP via Malicious LNK
• Windows 11 KB5079391 update rolls out Smart App Control
• Storm-2561 Spreads Trojan VPN Clients via SEO Poisoning
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs