Platform
go
Component
github.com/siyuan-note/siyuan/kernel
Fixed in
3.6.5
0.0.0-20260407035653-2f416e5253f1
CVE-2026-39846 describes a critical Cross-Site Scripting (XSS) vulnerability within the SiYuan Kernel, the core of the SiYuan note-taking application. This vulnerability allows a malicious note, when synced to another user's workspace, to trigger remote code execution. The vulnerability affects versions prior to 0.0.0-20260407035653-2f416e5253f1, and a patch has been released to address the issue.
The impact of CVE-2026-39846 is severe. An attacker can craft a malicious note containing JavaScript code within a table caption. When this note is imported into a synced workspace and subsequently opened by another user, the unescaped caption content is rendered as HTML, executing the attacker's JavaScript. Because the SiYuan Electron desktop client runs with nodeIntegration enabled and contextIsolation disabled, this JavaScript executes with full access to Node.js APIs, effectively granting the attacker remote code execution capabilities. This could lead to data theft, system compromise, or further malicious activity within the affected user's environment. The potential for lateral movement is significant, as the attacker could leverage Node.js APIs to interact with the underlying operating system.
This vulnerability was publicly disclosed on 2026-04-08. The CVSS score of 9.0 (CRITICAL) reflects the ease of exploitation and the significant impact. Public proof-of-concept (POC) code is likely to emerge given the vulnerability's nature and the critical severity. The vulnerability's reliance on note syncing and the potential for remote code execution suggest a high probability of exploitation, potentially warranting inclusion in CISA's KEV catalog. Active campaigns targeting SiYuan users are possible, particularly if readily available exploits are published.
Exploit Status
EPSS
0.14% (34% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-39846 is to immediately upgrade to version 0.0.0-20260407035653-2f416e5253f1 or later. If upgrading is not immediately feasible, consider temporarily disabling note syncing to prevent the propagation of malicious notes. While a direct workaround is not available, carefully reviewing all synced notes for suspicious content can help identify and remove potentially malicious notes. Monitor network traffic for unusual outbound connections originating from the SiYuan application. After upgrading, confirm the fix by importing a known safe note and verifying that table captions are rendered correctly without any unexpected JavaScript execution.
Update to version 3.6.4 or later to mitigate the remote code execution vulnerability. This version fixes the insecure escaping issue in table captions, preventing malicious code injection through synced notes.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39846 is a critical XSS vulnerability in the SiYuan Kernel, allowing malicious notes to trigger remote code execution through unescaped table captions.
You are affected if you are using SiYuan Kernel versions prior to 0.0.0-20260407035653-2f416e5253f1, especially if you utilize note syncing.
Upgrade to version 0.0.0-20260407035653-2f416e5253f1 or later. Temporarily disable note syncing if immediate upgrade is not possible.
While no active exploitation has been confirmed, the critical severity and potential for easy exploitation suggest a high likelihood of future exploitation.
Refer to the official SiYuan security advisory for detailed information and updates: [https://github.com/siyuan-note/siyuan/security/advisories/GHSA-xxxx-xxxx-xxxx]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.