Arbitrary Code Execution in SiYuan Personal Knowledge Management System
CVE-2026-44588

9.4CRITICAL

Key Information:

Vendor: Siyuan-note
Status: Siyuan
Vendor: CVE Published:; 14 May 2026

🔔 Create Siyuan-note Vulnerability Alert

What is CVE-2026-44588?

The SiYuan Personal Knowledge Management System prior to version 3.7.0 contains a vulnerability in its tooltip mouseover handler which can lead to arbitrary code execution. The issue arises from improper handling of HTML attributes and URL-encoded data within the application. When a crafted document title containing a malicious image is processed, the application fails to adequately filter or escape the input, allowing an attacker to inject code that can be executed due to the application's insecure rendering settings. The vulnerability has been addressed in version 3.7.0.

Affected Version(s)

siyuan < 3.7.0

References

https://github.com/siyuan-note/siyuan/security/advisories...

x_refsource_CONFIRM

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44588 Data

JSON