SiYuan versions before 3.7.0 improperly neutralize input in CSS snippets during web page generation. Specifically, a CSS snippet body containing a closing </style> tag breaks out of its surrounding <style> element when rendered via insertAdjacentHTML in the renderSnippet() function. This allows injection of arbitrary JavaScript. On Electron desktop builds where nodeIntegration is true, the injected JavaScript can access Node.js modules such as child_process, enabling remote code execution on the host. The vulnerability bypasses the user's enabledJS setting, which is intended to disable JavaScript execution, because the CSS injection path executes scripts regardless. Attackers with write access to any synced workspace can plant malicious payloads that execute on every device syncing that workspace. The issue is resolved in SiYuan version 3.7.0.

Successful exploitation allows an attacker with write access to a synced workspace to execute arbitrary JavaScript code in the renderer context of SiYuan. On Electron desktop builds with nodeIntegration enabled, this escalates to remote code execution on the host system, potentially compromising confidentiality, integrity, and availability. The vulnerability bypasses user security settings intended to disable JavaScript execution, increasing the risk of exploitation. This can lead to full system compromise on affected desktop clients.

This vulnerability is fixed in SiYuan version 3.7.0. Users and administrators should upgrade to version 3.7.0 or later to remediate the issue. No official patch or temporary fix is indicated beyond upgrading. Since this is not a cloud service, remediation depends on applying the fixed version. Until upgraded, restrict write access to synced workspaces to trusted users only to reduce risk.