CVE-2026-44670
published 2026-05-14CVE-2026-44670: SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the kernel stores Attribute View (AV / database) names without any HTML escape…
PriorityP350critical9.4CVSS 4.0
AVNACLATNPRNUIPVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.51%
39.5th percentile
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the kernel stores Attribute View (AV / database) names without any HTML escape, then a render template uses raw strings.ReplaceAll(tpl, "${avName}", nodeAvName) to embed the name in HTML before pushing to all clients via WebSocket. Three independent client paths (render.ts:120 → outerHTML, Title.ts:401 → innerHTML, transaction.ts:559 → innerHTML) consume the value without escaping. Because the main BrowserWindow runs nodeIntegration:true, contextIsolation:false, webSecurity:false (app/electron/main.js:407-411), HTML injection in the renderer becomes Node.js code execution. This vulnerability is fixed in 3.7.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | siyuan-note_siyuan_kernel | 0 – 0.0.0-20260421031503-96dfe0bea474 | — |
| siyuan-note | siyuan | < 3.7.0 | 3.7.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
SiYuan up to 3.6.x Transaction cross site scripting (GHSA-2h64-c999-c9r6)
vuldb·2026-05-15·CVSS 9.4
CVE-2026-44670 [CRITICAL] SiYuan up to 3.6.x Transaction cross site scripting (GHSA-2h64-c999-c9r6)
A vulnerability labeled as problematic has been found in SiYuan up to 3.6.x. Impacted is an unknown function of the component Transaction Handler. Such manipulation leads to cross site scripting.
This vulnerability is traded as CVE-2026-44670. The attack may be launched remotely. There is no exploit available.
The affected component should be upgraded.
GHSA
SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCE
ghsa·2026-05-08
CVE-2026-44670 [CRITICAL] CWE-1188 SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCE
SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCE
## Summary
The kernel stores Attribute View (AV / database) names without any HTML escape, then a render template uses raw `strings.ReplaceAll(tpl, "${avName}", nodeAvName)` to embed the name in HTML before pushing to all clients via WebSocket. Three independent client paths (`render.ts:120` → `outerHTML`, `Title.ts:401` → `innerHTML`, `transaction.ts:559` → `innerHTML`) consume the value without escaping. Because the main BrowserWindow runs `nodeIntegration:true, contextIsolation:false, webSecurity:false` (`app/electron/main.js:407-411`), HTML injection in the renderer becomes Node.js code execution.
Payload is stored on disk under `data/storage/av/.json`, replicates via every sync transport (S3 / WebDAV / c
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-14
Published