CVE Catalog

CVE-2026-44588

Critical
Published: Translated: NVD NIST

Summary

SiYuan is a knowledge management system that prior to version 3.7.0 had an issue with handling the aria-label attribute. Due to improper URL decoding, it was possible to inject malicious HTML code, leading to unauthorized script execution.

Risk Assessment

Organizations using SiYuan may be exposed to XSS attacks, which can lead to data theft or session hijacking. There is a high security risk associated with the application.

Recommendation

It is recommended to update SiYuan to version 3.7.0 or later to mitigate this vulnerability. Additionally, consider enabling context isolation and web security features.

Original NVD description (English source)

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, he tooltip mouseover handler in app/src/block/popover.ts reads aria-label via getAttribute and passes it through decodeURIComponent before assigning to messageElement.innerHTML in app/src/dialog/tooltip.ts:41. The encoder used at the producer side, escapeAriaLabel in app/src/util/escape.ts:19-25, only handles HTML special characters (", ', <, literal &lt;) — it leaves %XX URL-escapes untouched. So a doc title containing %3Cimg src=x onerror=...%3E round-trips through escapeAriaLabel and the HTML attribute layer unmodified. Then decodeURIComponent on the consumer side converts %3C to a literal < character (a real <, NOT a character reference). When that string is assigned to innerHTML, the HTML5 tokenizer enters TagOpenState on the literal <, parses the <img> element, and the onerror handler fires. Because the renderer runs with nodeIntegration: true, contextIsolation: false, webSecurity: false (app/electron

Vulnerability data from NVD (NIST) · CISA KEV · EPSS