CVE-2026-44670: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in siyuan-note siyuan
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the kernel stores Attribute View (AV / database) names without any HTML escape, then a render template uses raw strings.ReplaceAll(tpl, "${avName}", nodeAvName) to embed the name in HTML before pushing to all clients via WebSocket. Three independent client paths (render.ts:120 → outerHTML, Title.ts:401 → innerHTML, transaction.ts:559 → innerHTML) consume the value without escaping. Because the main BrowserWindow runs nodeIntegration:true, contextIsolation:false, webSecurity:false (app/electron/main.js:407-411), HTML injection in the renderer becomes Node.js code execution. This vulnerability is fixed in 3.7.0.
AI Analysis
Technical Summary
SiYuan versions before 3.7.0 improperly neutralize input during web page generation by embedding unescaped attribute view names into HTML templates. The rendering process uses raw string replacement to insert these names, which are then consumed by multiple client-side paths without escaping. Because the Electron app runs with nodeIntegration enabled and contextIsolation disabled, this XSS vulnerability can lead to remote code execution within the renderer process. The issue is addressed in version 3.7.0 of SiYuan.
Potential Impact
Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript code that executes in the context of the Electron renderer process with Node.js integration enabled. This can lead to full remote code execution on the client machine running the vulnerable SiYuan version, posing a critical security risk.
Mitigation Recommendations
This vulnerability is fixed in SiYuan version 3.7.0. Users should upgrade to version 3.7.0 or later to remediate this issue. Patch status is not explicitly confirmed beyond the fix in 3.7.0; therefore, users should verify with the vendor advisory or official release notes for the latest remediation guidance.
CVE-2026-44670: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in siyuan-note siyuan
Description
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the kernel stores Attribute View (AV / database) names without any HTML escape, then a render template uses raw strings.ReplaceAll(tpl, "${avName}", nodeAvName) to embed the name in HTML before pushing to all clients via WebSocket. Three independent client paths (render.ts:120 → outerHTML, Title.ts:401 → innerHTML, transaction.ts:559 → innerHTML) consume the value without escaping. Because the main BrowserWindow runs nodeIntegration:true, contextIsolation:false, webSecurity:false (app/electron/main.js:407-411), HTML injection in the renderer becomes Node.js code execution. This vulnerability is fixed in 3.7.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
SiYuan versions before 3.7.0 improperly neutralize input during web page generation by embedding unescaped attribute view names into HTML templates. The rendering process uses raw string replacement to insert these names, which are then consumed by multiple client-side paths without escaping. Because the Electron app runs with nodeIntegration enabled and contextIsolation disabled, this XSS vulnerability can lead to remote code execution within the renderer process. The issue is addressed in version 3.7.0 of SiYuan.
Potential Impact
Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript code that executes in the context of the Electron renderer process with Node.js integration enabled. This can lead to full remote code execution on the client machine running the vulnerable SiYuan version, posing a critical security risk.
Mitigation Recommendations
This vulnerability is fixed in SiYuan version 3.7.0. Users should upgrade to version 3.7.0 or later to remediate this issue. Patch status is not explicitly confirmed beyond the fix in 3.7.0; therefore, users should verify with the vendor advisory or official release notes for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-07T16:20:08.659Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a06e21cec166c07b0e8f082
Added to database: 5/15/2026, 9:06:36 AM
Last enriched: 5/15/2026, 9:09:20 AM
Last updated: 5/15/2026, 7:59:48 PM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.