CVE-2026-39846: Remote Code Execution via Stored XSS in SiYuan Electron Client

The vulnerability resides in the SiYuan personal knowledge management system, specifically within the Electron-based desktop client. Identified as CVE-2026-39846, this critical flaw affects all application versions prior to 3.6.4. The issue originates as a stored Cross-Site Scripting (XSS) vulnerability within the markdown table rendering logic.

The application accepts user input for table captions and stores this data within local .sy note files. During the document rendering process, the SiYuan client reads these files and injects the caption content directly into the Document Object Model (DOM). The application fails to apply adequate sanitization or escaping mechanisms to this specific field.

This DOM-based injection escalates to a systemic compromise due to the underlying Electron framework configuration. The application operates with nodeIntegration: true and contextIsolation: false. These settings dismantle the protective sandbox typically enforced by web browsers, merging the JavaScript context of the rendered page with the internal Node.js runtime environment.

Attackers weaponize this architectural flaw by distributing maliciously crafted notes through shared workspaces. When a victim synchronizes their environment and opens the compromised note, the application executes the injected payload. This process requires no additional user interaction or authentication bypass, culminating in arbitrary command execution on the host system.

The root cause of CVE-2026-39846 is a combination of Improper Neutralization of Input (CWE-79) and Improper Control of Generation of Code (CWE-94). The markdown parsing engine extracts the table caption attribute from the local database and processes it for display. The code relies on an insecure unescape operation that preserves executable HTML tags.

Upon processing the note, the application appends the resulting string to the active document via an insecure DOM assignment. The renderer does not utilize a secure sink or an intermediate sanitization layer, such as DOMPurify, for the table caption attribute. This permits the evaluation of arbitrary script blocks embedded within the document data.

The severity of this injection is entirely dependent on the insecure configuration of the BrowserWindow component in Electron. By setting contextIsolation: false, the framework allows variables and functions defined in the renderer to access the global scope of the Node.js runtime. This breaks the isolation boundary required to safely process untrusted user content.

Furthermore, the nodeIntegration: true directive explicitly authorizes the renderer process to import native system modules. Scripts injected into the DOM gain immediate access to the require function. This exposes the host operating system's command execution APIs directly to the compromised renderer thread.

The vulnerable implementation lacks a dedicated sanitization pass for the table caption attribute. The application extracts the table metadata from the local .sy file and constructs an HTML string directly. The code directly concatenates the user-supplied string into the DOM output.

// Vulnerable Pattern (Conceptual)
function renderTable(tableData) {
  let html = '<table>';
  // Flaw: Unescaped raw input directly inserted into HTML
  html += '<caption>' + unescape(tableData.caption) + '</caption>';
  html += '<tbody>...</tbody></table>';
  document.getElementById('editor').innerHTML += html;
}

The fix introduced in version 3.6.4 implements rigorous input sanitization. The updated code utilizes the DOMPurify library to strip dangerous elements and attributes. The renderer passes the raw caption string through the sanitizer before any DOM insertion occurs.

// Patched Pattern (Conceptual)
import DOMPurify from 'dompurify';
 
function renderTable(tableData) {
  let html = '<table>';
  // Fix: Input is passed through DOMPurify prior to concatenation
  let cleanCaption = DOMPurify.sanitize(unescape(tableData.caption));
  html += '<caption>' + cleanCaption + '</caption>';
  html += '<tbody>...</tbody></table>';
  document.getElementById('editor').innerHTML += html;
}

Securing the underlying Electron environment requires modifications to the main process configuration. Developers must define strict webPreferences when instantiating the BrowserWindow to prevent renderer scripts from accessing the underlying operating system. The properties nodeIntegration: false and contextIsolation: true must be enforced.

Exploitation relies on delivering the malicious payload via the workspace synchronization mechanism. The attacker creates a standard .sy note file and manipulates the internal structure to include a crafted script tag injected into the caption attribute of a table block. The attacker then uploads this file to a public workspace or shares it directly.

<!-- Malicious Table Caption Payload -->
<script>
  try {
    const { exec } = require('child_process');
    // Opens calculator on Windows to prove execution
    exec('calc'); 
    // In an actual attack, fetches and executes a reverse shell
  } catch (e) {
    console.error(e);
  }
</script>

The SiYuan synchronization engine automatically pulls the malicious file into the victim's local storage location. The system performs this synchronization without scanning the contents for executable code. The payload remains dormant until the user navigates to the compromised document within the client application.

Once the victim opens the note, the vulnerable rendering engine parses the table block and injects the <script> tag into the active DOM. The JavaScript engine evaluates the block, invoking the exposed require function. The script imports the child_process module and executes system commands via the exec method.

The vulnerability carries a CVSS v3.1 base score of 9.1 (Critical). The attack vector is classified as network-based, as the payload is delivered seamlessly through remote synchronization servers. The low attack complexity and low privilege requirements make this vulnerability highly exploitable by any actor capable of pushing changes to a shared workspace.

Successful exploitation results in a complete compromise of confidentiality, integrity, and availability on the affected endpoint. The executing payload inherits the authorization level of the user running the SiYuan application. The attacker gains the ability to exfiltrate local files, modify system configurations, and establish persistent backdoor access.

The user interaction required to trigger the exploit is minimal and routine. The victim simply opens a synchronized note file, an action central to the application's core functionality. The payload executes silently in the background, providing no visual indication to the user that a compromise has occurred.

The Exploit Prediction Scoring System (EPSS) rating is 0.00138, placing it in the 33.98th percentile. While mass automated exploitation is currently improbable, the documented proof-of-concept makes targeted attacks against specific user groups highly viable. Threat actors often leverage RCE vulnerabilities in productivity tools to gain an initial foothold in corporate environments.

The vendor addressed CVE-2026-39846 with the release of SiYuan version 3.6.4. Administrators and individual users must update their desktop clients to this version immediately. The patched release sanitizes table captions using DOMPurify and modifies the Electron configuration to isolate the renderer process.

Organizations utilizing centralized deployment tools should force the update across all managed endpoints. Security teams should monitor internal network traffic for indicators of compromise, such as unexpected outbound connections originating from the SiYuan executable. Deploying endpoint detection and response (EDR) rules to flag child processes spawned by the SiYuan client will aid in identifying active exploitation attempts.

For environments unable to deploy the patch immediately, administrators should instruct users to disable workspace synchronization with untrusted or public repositories. Users should avoid importing .sy files from unverified external sources. Manual inspection of .sy files using a text editor can reveal the presence of suspicious <script> tags within the document structure.

Developers maintaining Electron-based applications must adhere to secure framework configurations. Always enable contextIsolation and disable nodeIntegration for any BrowserWindow handling untrusted content. Utilize Context Bridge to expose specific, safe APIs to the renderer rather than providing raw access to Node.js modules.