CVE Catalog

CVE-2026-55570

CriticalCVSS 9.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.33%

24th percentile — higher than 24% of all known CVEs

Summary

SiYuan is an open-source personal knowledge management system that prior to version 3.7.0 did not escape untrusted fields (name, version, author, description) when serialized into the data-obj HTML attribute of each marketplace card. As a result, a package containing a single quote could inject arbitrary HTML, escalating from DOM XSS to arbitrary OS command execution.

Risk Assessment

Organizations may be exposed to attacks that allow remote command execution on user systems, potentially leading to serious security breaches.

Recommendation

It is recommended to update SiYuan to version 3.7.0 or later to mitigate this vulnerability and implement additional security measures to protect against code injection.

Original NVD description (English source)

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, it does not escape the untrusted fields (name, version, author, description) when they are serialized into the data-obj HTML attribute of each marketplace card. Because the attribute is single-quoted and the value is produced with JSON.stringify() (which does not escape ', <, or >), a package whose name contains a single quote breaks out of the attribute and injects arbitrary HTML. In the desktop client the main BrowserWindow runs with nodeIntegration: true, contextIsolation: false, so the injected markup escalates from DOM XSS to arbitrary OS command execution. This is the same root cause and same impact as the original advisory, reached through a sibling sink the patch did not cover. This vulnerability is fixed in 3.7.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS