免费扫描
CRITICALCVE-2026-39846CVSS 9

SiYuan: Electron 桌面客户端中同步表格标题中的存储 XSS 导致远程代码执行

平台

go

组件

github.com/siyuan-note/siyuan/kernel

修复版本

3.6.5

0.0.0-20260407035653-2f416e5253f1

AI Confidence: highNVDEPSS 0.1%已审阅: 2026年5月
在NVD查看
保存
正在翻译为您的语言…

CVE-2026-39846 describes a critical Cross-Site Scripting (XSS) vulnerability within the SiYuan Kernel, the core of the SiYuan note-taking application. This vulnerability allows a malicious note, when synced to another user's workspace, to trigger remote code execution. The vulnerability affects versions prior to 0.0.0-20260407035653-2f416e5253f1, and a patch has been released to address the issue.

Go

检测此 CVE 是否影响你的项目

上传你的 go.mod 文件,立即知道是否受影响。

上传 go.mod

影响与攻击场景翻译中…

The impact of CVE-2026-39846 is severe. An attacker can craft a malicious note containing JavaScript code within a table caption. When this note is imported into a synced workspace and subsequently opened by another user, the unescaped caption content is rendered as HTML, executing the attacker's JavaScript. Because the SiYuan Electron desktop client runs with nodeIntegration enabled and contextIsolation disabled, this JavaScript executes with full access to Node.js APIs, effectively granting the attacker remote code execution capabilities. This could lead to data theft, system compromise, or further malicious activity within the affected user's environment. The potential for lateral movement is significant, as the attacker could leverage Node.js APIs to interact with the underlying operating system.

利用背景翻译中…

This vulnerability was publicly disclosed on 2026-04-08. The CVSS score of 9.0 (CRITICAL) reflects the ease of exploitation and the significant impact. Public proof-of-concept (POC) code is likely to emerge given the vulnerability's nature and the critical severity. The vulnerability's reliance on note syncing and the potential for remote code execution suggest a high probability of exploitation, potentially warranting inclusion in CISA's KEV catalog. Active campaigns targeting SiYuan users are possible, particularly if readily available exploits are published.

哪些人处于风险中翻译中…

Users of SiYuan who utilize note syncing are particularly at risk. This includes teams collaborating on shared workspaces and individuals who regularly import notes from external sources. Legacy configurations with older versions of SiYuan are also highly vulnerable, as they have not received the security patch. Shared hosting environments where multiple users share the same SiYuan instance are also at increased risk.

检测步骤翻译中…

• windows / supply-chain:

Get-Process -Name SiYuan | Select-Object -ExpandProperty Path

• linux / server:

ps aux | grep siyuan

• generic web:

curl -I https://your-siyuan-instance.com/ | grep -i 'X-Content-Type-Options: nosniff'

攻击时间线

  1. Disclosure

    disclosure

  2. Patch

    patch

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露
报告3 份威胁报告

EPSS

0.14% (34% 百分位)

CISA SSVC

利用情况poc
可自动化no
技术影响total

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H9.0CRITICALAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredLow攻击所需的认证级别User InteractionRequired是否需要受害者采取行动ScopeChanged超出受影响组件的影响范围ConfidentialityHigh敏感数据泄露风险IntegrityHigh数据未授权篡改风险AvailabilityHigh服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
低 — 任何有效用户账户均可。
User Interaction
需要 — 受害者必须打开文件、点击链接或访问特制页面。
Scope
已改变 — 攻击可以超出脆弱组件,影响其他系统。
Confidentiality
高 — 完全丧失机密性,攻击者可读取所有数据。
Integrity
高 — 攻击者可写入、修改或删除任何数据。
Availability
高 — 完全崩溃或资源耗尽,完全拒绝服务。

受影响的软件

组件github.com/siyuan-note/siyuan/kernel
供应商osv
影响范围修复版本
< 3.6.4 – < 3.6.43.6.5
0.0.0-20260407035653-2f416e5253f1

弱点分类 (CWE)

CWE-79CWE-94

时间线

  1. 已保留
  2. 发布日期
  3. EPSS 更新日期

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2026-39846 is to immediately upgrade to version 0.0.0-20260407035653-2f416e5253f1 or later. If upgrading is not immediately feasible, consider temporarily disabling note syncing to prevent the propagation of malicious notes. While a direct workaround is not available, carefully reviewing all synced notes for suspicious content can help identify and remove potentially malicious notes. Monitor network traffic for unusual outbound connections originating from the SiYuan application. After upgrading, confirm the fix by importing a known safe note and verifying that table captions are rendered correctly without any unexpected JavaScript execution.

修复方法

升级到 3.6.4 或更高版本以缓解远程代码执行漏洞。此版本修复了表格标题中的不安全转义问题,从而避免通过同步注释注入恶意代码。

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2026-39846 — XSS in SiYuan Kernel?

CVE-2026-39846 is a critical XSS vulnerability in the SiYuan Kernel, allowing malicious notes to trigger remote code execution through unescaped table captions.

Am I affected by CVE-2026-39846 in SiYuan Kernel?

You are affected if you are using SiYuan Kernel versions prior to 0.0.0-20260407035653-2f416e5253f1, especially if you utilize note syncing.

How do I fix CVE-2026-39846 in SiYuan Kernel?

Upgrade to version 0.0.0-20260407035653-2f416e5253f1 or later. Temporarily disable note syncing if immediate upgrade is not possible.

Is CVE-2026-39846 being actively exploited?

While no active exploitation has been confirmed, the critical severity and potential for easy exploitation suggest a high likelihood of future exploitation.

Where can I find the official SiYuan advisory for CVE-2026-39846?

Refer to the official SiYuan security advisory for detailed information and updates: [https://github.com/siyuan-note/siyuan/security/advisories/GHSA-xxxx-xxxx-xxxx]

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE