CVE-2026-44588: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in siyuan-note siyuan
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, he tooltip mouseover handler in app/src/block/popover.ts reads aria-label via getAttribute and passes it through decodeURIComponent before assigning to messageElement.innerHTML in app/src/dialog/tooltip.ts:41. The encoder used at the producer side, escapeAriaLabel in app/src/util/escape.ts:19-25, only handles HTML special characters (", ', <, literal <) — it leaves %XX URL-escapes untouched. So a doc title containing %3Cimg src=x onerror=...%3E round-trips through escapeAriaLabel and the HTML attribute layer unmodified. Then decodeURIComponent on the consumer side converts %3C to a literal < character (a real <, NOT a character reference). When that string is assigned to innerHTML, the HTML5 tokenizer enters TagOpenState on the literal <, parses the <img> element, and the onerror handler fires. Because the renderer runs with nodeIntegration: true, contextIsolation: false, webSecurity: false (app/electron/main.js:407-411), require('child_process') is reachable from the injected handler, escalating to arbitrary code execution.This vulnerability is fixed in 3.7.0.
AI Analysis
Technical Summary
SiYuan versions before 3.7.0 contain a cross-site scripting vulnerability caused by improper input handling in the tooltip mouseover handler. The aria-label attribute is read and decoded via decodeURIComponent and then assigned directly to innerHTML. The encoding function escapeAriaLabel only escapes certain HTML special characters but leaves URL-encoded sequences intact. This allows an attacker to craft a document title containing URL-encoded HTML tags (e.g., %3Cimg src=x onerror=...%3E) that decode into executable HTML elements with event handlers. Because the Electron renderer runs with nodeIntegration enabled, contextIsolation disabled, and webSecurity disabled, the injected script can access Node.js modules such as child_process, leading to arbitrary code execution. This vulnerability is addressed in SiYuan version 3.7.0.
Potential Impact
Exploitation of this vulnerability allows an attacker to execute arbitrary code on the victim's system through a crafted document title that triggers a malicious event handler in the Electron-based renderer. The vulnerability is critical due to the combination of cross-site scripting and the insecure Electron configuration, which enables escalation from script execution to full arbitrary code execution. There are no known exploits in the wild at the time of this report.
Mitigation Recommendations
This vulnerability is fixed in SiYuan version 3.7.0. Users should upgrade to version 3.7.0 or later to remediate this issue. Since the product is not a cloud service, remediation requires applying the official update. Patch status is not explicitly stated beyond the fix in 3.7.0, so users should verify the vendor advisory for the latest remediation guidance.
CVE-2026-44588: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in siyuan-note siyuan
Description
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, he tooltip mouseover handler in app/src/block/popover.ts reads aria-label via getAttribute and passes it through decodeURIComponent before assigning to messageElement.innerHTML in app/src/dialog/tooltip.ts:41. The encoder used at the producer side, escapeAriaLabel in app/src/util/escape.ts:19-25, only handles HTML special characters (", ', <, literal <) — it leaves %XX URL-escapes untouched. So a doc title containing %3Cimg src=x onerror=...%3E round-trips through escapeAriaLabel and the HTML attribute layer unmodified. Then decodeURIComponent on the consumer side converts %3C to a literal < character (a real <, NOT a character reference). When that string is assigned to innerHTML, the HTML5 tokenizer enters TagOpenState on the literal <, parses the <img> element, and the onerror handler fires. Because the renderer runs with nodeIntegration: true, contextIsolation: false, webSecurity: false (app/electron/main.js:407-411), require('child_process') is reachable from the injected handler, escalating to arbitrary code execution.This vulnerability is fixed in 3.7.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
SiYuan versions before 3.7.0 contain a cross-site scripting vulnerability caused by improper input handling in the tooltip mouseover handler. The aria-label attribute is read and decoded via decodeURIComponent and then assigned directly to innerHTML. The encoding function escapeAriaLabel only escapes certain HTML special characters but leaves URL-encoded sequences intact. This allows an attacker to craft a document title containing URL-encoded HTML tags (e.g., %3Cimg src=x onerror=...%3E) that decode into executable HTML elements with event handlers. Because the Electron renderer runs with nodeIntegration enabled, contextIsolation disabled, and webSecurity disabled, the injected script can access Node.js modules such as child_process, leading to arbitrary code execution. This vulnerability is addressed in SiYuan version 3.7.0.
Potential Impact
Exploitation of this vulnerability allows an attacker to execute arbitrary code on the victim's system through a crafted document title that triggers a malicious event handler in the Electron-based renderer. The vulnerability is critical due to the combination of cross-site scripting and the insecure Electron configuration, which enables escalation from script execution to full arbitrary code execution. There are no known exploits in the wild at the time of this report.
Mitigation Recommendations
This vulnerability is fixed in SiYuan version 3.7.0. Users should upgrade to version 3.7.0 or later to remediate this issue. Since the product is not a cloud service, remediation requires applying the official update. Patch status is not explicitly stated beyond the fix in 3.7.0, so users should verify the vendor advisory for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-06T21:49:12.425Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a06e21bec166c07b0e8f07c
Added to database: 5/15/2026, 9:06:35 AM
Last enriched: 5/15/2026, 9:08:56 AM
Last updated: 5/16/2026, 6:26:27 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.