CVE-2026-41421: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in siyuan-note siyuan
CVE-2026-41421 is a high-severity OS command injection vulnerability in SiYuan, an open-source personal knowledge management system. Versions prior to 3. 6. 5 render notification messages as raw HTML in an Electron renderer with unsafe configurations (nodeIntegration: true, contextIsolation: false, webSecurity: false). This allows user-controlled input in notifications to execute JavaScript with full Node. js API access, leading to potential desktop code execution. The vulnerability is fixed in version 3. 6. 5.
AI Analysis
Technical Summary
SiYuan versions before 3.6.5 have an OS command injection vulnerability due to improper neutralization of special elements in notification messages. The POST /api/notification/pushMsg endpoint accepts a user-controlled message that is inserted into the DOM using insertAdjacentHTML without sanitization. Because Electron windows are configured insecurely (nodeIntegration enabled, contextIsolation disabled, webSecurity disabled), malicious JavaScript in notifications can access Node APIs and escalate to desktop code execution. This vulnerability is addressed in SiYuan 3.6.5.
Potential Impact
Successful exploitation allows an attacker with limited privileges to execute arbitrary code on the desktop environment running SiYuan by injecting malicious JavaScript through notification messages. This can lead to full compromise of the user's system where SiYuan is installed. The CVSS 3.1 score is 8.8 (high), reflecting local attack vector, low complexity, no user interaction, and complete confidentiality, integrity, and availability impact.
Mitigation Recommendations
This vulnerability is fixed in SiYuan version 3.6.5. Users should upgrade to version 3.6.5 or later to remediate the issue. No additional mitigation guidance is provided, and patch status is confirmed by the vendor's versioning. Since this is not a cloud service, remediation depends on user upgrade.
CVE-2026-41421: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in siyuan-note siyuan
Description
CVE-2026-41421 is a high-severity OS command injection vulnerability in SiYuan, an open-source personal knowledge management system. Versions prior to 3. 6. 5 render notification messages as raw HTML in an Electron renderer with unsafe configurations (nodeIntegration: true, contextIsolation: false, webSecurity: false). This allows user-controlled input in notifications to execute JavaScript with full Node. js API access, leading to potential desktop code execution. The vulnerability is fixed in version 3. 6. 5.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
SiYuan versions before 3.6.5 have an OS command injection vulnerability due to improper neutralization of special elements in notification messages. The POST /api/notification/pushMsg endpoint accepts a user-controlled message that is inserted into the DOM using insertAdjacentHTML without sanitization. Because Electron windows are configured insecurely (nodeIntegration enabled, contextIsolation disabled, webSecurity disabled), malicious JavaScript in notifications can access Node APIs and escalate to desktop code execution. This vulnerability is addressed in SiYuan 3.6.5.
Potential Impact
Successful exploitation allows an attacker with limited privileges to execute arbitrary code on the desktop environment running SiYuan by injecting malicious JavaScript through notification messages. This can lead to full compromise of the user's system where SiYuan is installed. The CVSS 3.1 score is 8.8 (high), reflecting local attack vector, low complexity, no user interaction, and complete confidentiality, integrity, and availability impact.
Mitigation Recommendations
This vulnerability is fixed in SiYuan version 3.6.5. Users should upgrade to version 3.6.5 or later to remediate the issue. No additional mitigation guidance is provided, and patch status is confirmed by the vendor's versioning. Since this is not a cloud service, remediation depends on user upgrade.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-20T15:32:33.813Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ebc30587115cfb68680b10
Added to database: 4/24/2026, 7:22:45 PM
Last enriched: 4/24/2026, 7:36:07 PM
Last updated: 4/24/2026, 9:37:33 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.