Platform
nodejs
Component
siyuan-note
Fixed in
3.6.5
CVE-2026-40322 affects SiYuan, an open-source personal knowledge management system. The vulnerability stems from the insecure rendering of Mermaid diagrams, where attacker-controlled JavaScript URLs can be injected into the DOM. This can lead to arbitrary code execution, particularly on desktop builds using Electron, if a user opens a malicious note and interacts with the diagram. The vulnerability is resolved in version 3.6.4.
CVE-2026-40322 in SiYuan affects versions 3.6.3 and below. It allows an attacker to inject malicious JavaScript code through Mermaid diagrams. SiYuan, an open-source personal knowledge management system, renders these diagrams with a securityLevel set to 'loose'. This means that javascript: URLs within Mermaid code are not properly filtered and are directly injected into the DOM using innerHTML. In desktop builds using Electron, windows are created with nodeIntegration enabled and contextIsolation disabled, escalating the stored XSS to arbitrary code execution on the user's system. This vulnerability is particularly concerning in environments where users import or share content from untrusted sources.
An attacker could exploit this vulnerability by inserting malicious JavaScript code within a Mermaid diagram in a SiYuan document. If a user opens this document, the JavaScript code will execute in their context, potentially allowing the attacker to steal sensitive information, modify files, or even take control of the system. The ease of injection and elevated execution privileges make this vulnerability a significant risk. The attack is more effective if the attacker can convince the user to open the compromised document, either through social engineering or by distributing malicious files.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-40322 is to update SiYuan to version 3.6.4 or higher. This version fixes the vulnerability by implementing stricter filtering of javascript: URLs in Mermaid code, preventing their injection into the DOM. Additionally, it's recommended to review and sanitize any existing content that may have been compromised. For desktop environments, ensure that Electron windows have nodeIntegration disabled and contextIsolation enabled, which limits the access of injected code to system resources. Monitoring system activity and applying the latest security updates are recommended best practices to reduce the risk of exploitation.
Actualice a la versión 3.6.4 o posterior para mitigar la vulnerabilidad. Esta actualización corrige la forma en que se renderizan los diagramas Mermaid, evitando la inyección de código JavaScript malicioso y previniendo la ejecución de código arbitrario en el entorno Electron.
Vulnerability analysis and critical alerts directly to your inbox.
SiYuan is an open-source personal knowledge management system.
Version 3.6.4 fixes the CVE-2026-40322 vulnerability, preventing the execution of malicious code.
They are Electron configurations that control the access of JavaScript code to system resources. Disabling nodeIntegration and enabling contextIsolation increases security.
If you have been using a version prior to 3.6.4 and have opened documents from untrusted sources, you may have been affected. Monitor system activity for unusual behavior.
Update SiYuan to the latest version, run a full antivirus scan, and consider changing the passwords for your important accounts.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.