๐Ÿ” CVE Alert

CVE-2026-59855

UNKNOWN 0.0

SiYuan: Store XSS To Rce via Asset.render

CVSS Score
0.0
EPSS Score
0.3%
EPSS Percentile
22th

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, Asset.render in app/src/asset/index.ts interpolates the unsanitized this.path value into HTML assigned to innerHTML, allowing a crafted asset link containing a double quote to break out of the src attribute, inject an event handler, and execute JavaScript that can run OS commands in the Electron renderer. This issue is fixed in versions 3.7.1-alpha.2 and 3.7.1.

CWE CWE-80
Vendor siyuan-note
Product siyuan
Published Jul 9, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for siyuan-note siyuan

Be the first to know when new unknown vulnerabilities affecting siyuan-note siyuan are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

siyuan-note / siyuan
< 3.7.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-w3gq-5j72-36vc github.com: https://github.com/siyuan-note/siyuan/commit/efbe3a557720034782643e55c9e0282530cb6bbb github.com: https://github.com/siyuan-note/siyuan/releases/tag/v3.7.1