Plattform
go
Komponente
github.com/siyuan-note/siyuan/kernel
Behoben in
3.6.5
0.0.0-20260407035653-2f416e5253f1
CVE-2026-39846 describes a critical Cross-Site Scripting (XSS) vulnerability within the SiYuan Kernel, the core of the SiYuan note-taking application. This vulnerability allows a malicious note, when synced to another user's workspace, to trigger remote code execution. The vulnerability affects versions prior to 0.0.0-20260407035653-2f416e5253f1, and a patch has been released to address the issue.
The impact of CVE-2026-39846 is severe. An attacker can craft a malicious note containing JavaScript code within a table caption. When this note is imported into a synced workspace and subsequently opened by another user, the unescaped caption content is rendered as HTML, executing the attacker's JavaScript. Because the SiYuan Electron desktop client runs with nodeIntegration enabled and contextIsolation disabled, this JavaScript executes with full access to Node.js APIs, effectively granting the attacker remote code execution capabilities. This could lead to data theft, system compromise, or further malicious activity within the affected user's environment. The potential for lateral movement is significant, as the attacker could leverage Node.js APIs to interact with the underlying operating system.
This vulnerability was publicly disclosed on 2026-04-08. The CVSS score of 9.0 (CRITICAL) reflects the ease of exploitation and the significant impact. Public proof-of-concept (POC) code is likely to emerge given the vulnerability's nature and the critical severity. The vulnerability's reliance on note syncing and the potential for remote code execution suggest a high probability of exploitation, potentially warranting inclusion in CISA's KEV catalog. Active campaigns targeting SiYuan users are possible, particularly if readily available exploits are published.
Users of SiYuan who utilize note syncing are particularly at risk. This includes teams collaborating on shared workspaces and individuals who regularly import notes from external sources. Legacy configurations with older versions of SiYuan are also highly vulnerable, as they have not received the security patch. Shared hosting environments where multiple users share the same SiYuan instance are also at increased risk.
• windows / supply-chain:
Get-Process -Name SiYuan | Select-Object -ExpandProperty Path• linux / server:
ps aux | grep siyuan• generic web:
curl -I https://your-siyuan-instance.com/ | grep -i 'X-Content-Type-Options: nosniff'disclosure
patch
Exploit-Status
EPSS
0.14% (34% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-39846 is to immediately upgrade to version 0.0.0-20260407035653-2f416e5253f1 or later. If upgrading is not immediately feasible, consider temporarily disabling note syncing to prevent the propagation of malicious notes. While a direct workaround is not available, carefully reviewing all synced notes for suspicious content can help identify and remove potentially malicious notes. Monitor network traffic for unusual outbound connections originating from the SiYuan application. After upgrading, confirm the fix by importing a known safe note and verifying that table captions are rendered correctly without any unexpected JavaScript execution.
Actualice a la versión 3.6.4 o posterior para mitigar la vulnerabilidad de ejecución remota de código. Esta versión corrige el problema de escape inseguro en las leyendas de las tablas, evitando la inyección de código malicioso a través de notas sincronizadas.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-39846 is a critical XSS vulnerability in the SiYuan Kernel, allowing malicious notes to trigger remote code execution through unescaped table captions.
You are affected if you are using SiYuan Kernel versions prior to 0.0.0-20260407035653-2f416e5253f1, especially if you utilize note syncing.
Upgrade to version 0.0.0-20260407035653-2f416e5253f1 or later. Temporarily disable note syncing if immediate upgrade is not possible.
While no active exploitation has been confirmed, the critical severity and potential for easy exploitation suggest a high likelihood of future exploitation.
Refer to the official SiYuan security advisory for detailed information and updates: [https://github.com/siyuan-note/siyuan/security/advisories/GHSA-xxxx-xxxx-xxxx]
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.