CVE-2026-44670

216.73.217.22

· Published 14/05/2026 19:16 · Modified 15/05/2026 15:16

Labels: CVE-2026-44670 2026-05-14 CVE-2026-44670 CWE-79 [email protected]

Essential information

Published: 14/05/2026 19:16
Modified: 15/05/2026 15:16
Author: —
Creator: —
CVSS: 9.4 CRITICAL (v3) 9.4 CRITICAL (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the kernel stores Attribute View (AV / database) names without any HTML escape, then a render template uses raw strings.ReplaceAll(tpl, "${avName}", nodeAvName) to embed the name in HTML before pushing to all clients via WebSocket. Three independent client paths (render.ts:120 → outerHTML, Title.ts:401 → innerHTML, transaction.ts:559 → innerHTML) consume the value without escaping. Because the main BrowserWindow runs nodeIntegration:true, contextIsolation:false, webSecurity:false (app/electron/main.js:407-411), HTML injection in the renderer becomes Node.js code execution. This vulnerability is fixed in 3.7.0.

NVD status

Status: Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
siyuan / siyuan	`cpe:2.3:a:siyuan:siyuan:<3.7.0:::::::*`