Platform
go
Component
siyuan-note
Fixed in
3.6.5
0.0.0-20260414013942-62eed37a3263
CVE-2026-40922 describes a stored Cross-Site Scripting (XSS) vulnerability within the SiYuan note-taking application. This flaw arises from an incomplete fix regarding the rendering of bazaar (marketplace) README files, allowing attackers to inject malicious scripts. The vulnerability affects versions 3.6.1 through 3.6.4 and can lead to arbitrary code execution within the application's Electron context. A fix has been released in version 3.6.4.
Successful exploitation of CVE-2026-40922 allows an attacker to inject arbitrary JavaScript code into the SiYuan application. This code executes within the context of the user's session, granting the attacker the ability to steal sensitive data, modify notes, or even take control of the application. The attack vector involves crafting a malicious bazaar README file containing an <iframe> tag with a srcdoc attribute that includes embedded JavaScript. When a user views this README file within SiYuan, the injected script will execute. The blast radius extends to all users who install and view malicious bazaar packages, potentially compromising their entire note collection and associated data.
CVE-2026-40922 was publicly disclosed on 2026-04-16. Currently, there are no publicly available proof-of-concept exploits. The vulnerability is tracked on the NVD and CISA websites. The EPSS score is pending evaluation, but the potential for stored XSS in a note-taking application suggests a medium to high probability of exploitation if a readily available exploit is developed.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
The primary mitigation for CVE-2026-40922 is to upgrade SiYuan to version 3.6.4 or later, which includes the complete fix for the README rendering vulnerability. If upgrading immediately is not feasible, consider temporarily disabling the installation of bazaar packages from untrusted sources. While a direct workaround isn't available, carefully reviewing the source of any bazaar packages before installation can help prevent exploitation. After upgrading, confirm the fix by attempting to install a known malicious bazaar package (if available) and verifying that the injected script does not execute.
Update to version 3.6.4 or later to mitigate the vulnerability. This version corrects the incomplete sanitization of iframe tags in bazaar package READMEs, preventing the execution of malicious code in the application context.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40922 is a stored XSS vulnerability in SiYuan versions 3.6.1 through 3.6.4, allowing attackers to inject malicious scripts via bazaar README files.
You are affected if you are using SiYuan versions 3.6.1, 3.6.2, 3.6.3, or 3.6.4 and utilize bazaar packages.
Upgrade SiYuan to version 3.6.4 or later to remediate the vulnerability. Consider disabling bazaar package installation from untrusted sources as a temporary measure.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the official SiYuan security advisory for detailed information and updates: [https://github.com/siyuan-note/siyuan/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory URL)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.