JavaScript Injection Vulnerability in SiYuan Personal Knowledge Management System
CVE-2026-59855

8.6HIGH

Key Information:

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-59855?

The SiYuan personal knowledge management system is vulnerable to JavaScript injection in the Asset.render function prior to version 3.7.1. This vulnerability arises when the application interpolates unsanitized path values into the HTML content assigned to innerHTML. An attacker could exploit this by crafting a malicious asset link containing a double quote, causing the src attribute to break out. This could potentially enable the injection of an event handler and execution of arbitrary JavaScript code that may run OS commands within the Electron renderer environment. This serious flaw underscores the importance of input sanitization and has been addressed in versions 3.7.1-alpha.2 and 3.7.1.

Affected Version(s)

siyuan < 3.7.1

References

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.