CVE-2026-59855
SiYuan: Store XSS To Rce via Asset.render
CVSS Score
0.0
EPSS Score
0.3%
EPSS Percentile
22th
SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, Asset.render in app/src/asset/index.ts interpolates the unsanitized this.path value into HTML assigned to innerHTML, allowing a crafted asset link containing a double quote to break out of the src attribute, inject an event handler, and execute JavaScript that can run OS commands in the Electron renderer. This issue is fixed in versions 3.7.1-alpha.2 and 3.7.1.
| CWE | CWE-80 |
| Vendor | siyuan-note |
| Product | siyuan |
| Published | Jul 9, 2026 |
| Last Updated | Jul 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for siyuan-note siyuan
Be the first to know when new unknown vulnerabilities affecting siyuan-note siyuan are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
siyuan-note / siyuan
< 3.7.1