SiYuan versions before 3.7.0 improperly neutralize input when generating web pages by embedding raw Attribute View names into HTML without escaping. The rendering templates use string replacement to insert these names directly into HTML, which three client-side code paths consume without escaping. Because the Electron app runs with insecure settings (nodeIntegration enabled, no context isolation, and disabled web security), this XSS vulnerability allows injected HTML to execute Node.js code in the renderer process. This elevates the impact from typical XSS to remote code execution within the application context. The vulnerability is addressed in SiYuan 3.7.0.

Exploitation of this vulnerability allows an attacker to execute arbitrary Node.js code within the renderer process of the SiYuan application, potentially leading to full compromise of the application environment. The CVSS 4.0 score is 9.4 (critical), reflecting network attack vector, no privileges required, user interaction needed, and high impact on confidentiality, integrity, availability, and security requirements. No known exploits in the wild have been reported.

This vulnerability is fixed in SiYuan version 3.7.0. Users should upgrade to version 3.7.0 or later to remediate this issue. No other official remediation or temporary fixes are indicated. Patch status is not explicitly stated in vendor advisories but the fix is included in the 3.7.0 release. Until upgrading, avoid processing untrusted input as Attribute View names.