CVE-2026-44586 | THREATINT

Description

SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without escaping. In the desktop app this becomes stored XSS, and because SiYuan's Electron windows are created with nodeIntegration: true and contextIsolation: false, a successful payload can call Node.js APIs and execute code on the host. This vulnerability is fixed in 3.7.0.

PUBLISHED Reserved 2026-05-06 | Published 2026-05-14 | Updated 2026-05-14 | Assigner GitHub_M

HIGH: 8.3CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-94: Improper Control of Generation of Code ('Code Injection')

Product status

>= 2.1.12, < 3.7.0

affected

References

github.com/...siyuan/security/advisories/GHSA-x6wf-w2rg-2gw9 exploit

github.com/...siyuan/security/advisories/GHSA-x6wf-w2rg-2gw9

cve.org (CVE-2026-44586)

nvd.nist.gov (CVE-2026-44586)

Download JSON