CVE-2026-44670
CriticalSummary
SiYuan is an open-source personal knowledge management system. In versions prior to 3.7.0, attribute view names are stored without HTML escape, leading to potential HTML injection and Node.js code execution in the renderer.
Risk Assessment
Exploitation of this vulnerability could lead to remote code execution, posing a serious threat to the application's security and user data.
Recommendation
It is recommended to upgrade to version 3.7.0 or later to mitigate this vulnerability and implement appropriate security measures in the application.
Original NVD description (English source)
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the kernel stores Attribute View (AV / database) names without any HTML escape, then a render template uses raw strings.ReplaceAll(tpl, "${avName}", nodeAvName) to embed the name in HTML before pushing to all clients via WebSocket. Three independent client paths (render.ts:120 → outerHTML, Title.ts:401 → innerHTML, transaction.ts:559 → innerHTML) consume the value without escaping. Because the main BrowserWindow runs nodeIntegration:true, contextIsolation:false, webSecurity:false (app/electron/main.js:407-411), HTML injection in the renderer becomes Node.js code execution. This vulnerability is fixed in 3.7.0.

