Cross-Site Scripting in SiYuan Personal Knowledge Management System
CVE-2026-41421

8.8HIGH

Key Information:

Vendor: Siyuan-note
Status: Siyuan
Vendor: CVE Published:; 24 April 2026

🔔 Create Siyuan-note Vulnerability Alert

What is CVE-2026-41421?

SiYuan, an open-source personal knowledge management system, is susceptible to a Cross-Site Scripting (XSS) flaw due to improper handling of notification messages in versions before 3.6.5. Specifically, the application renders raw HTML from user-controlled input when displaying notifications. This implementation flaw, combined with the Electron framework's lack of security configurations—allowing node integration and disabling context isolation—can lead to severe security implications. An attacker can exploit this weakness to execute arbitrary JavaScript code, gaining unauthorized access to Node APIs and potentially escalating privileges to execute code on the desktop environment.

Affected Version(s)

siyuan < 3.6.5

References

https://github.com/siyuan-note/siyuan/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41421 Data

JSON