Stored XSS Vulnerability in SiYuan Personal Knowledge Management System
CVE-2026-44586

8.3HIGH

Key Information:

Vendor: Siyuan-note
Status: Siyuan
Vendor: CVE Published:; 14 May 2026

🔔 Create Siyuan-note Vulnerability Alert

What is CVE-2026-44586?

The SiYuan personal knowledge management system has a vulnerability where metadata from the public bazaar stage feed is rendered into HTML without adequate escaping. This flaw affects versions 2.1.12 up to before 3.7.0, leading to a stored XSS vulnerability within the desktop application. The issue is exacerbated by the application's configuration, which allows Node.js APIs to be executed due to the settings of nodeIntegration: true and contextIsolation: false. The vulnerability has been addressed in version 3.7.0, making it crucial for users to update to this version to mitigate the security risk.

Affected Version(s)

siyuan >= 2.1.12, < 3.7.0

References

https://github.com/siyuan-note/siyuan/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44586 Data

JSON