CVE-2026-40322
Stored XSS in SiYuan Mermaid Rendering Enables Code Execution
Publication date: 2026-04-16
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| b3log | siyuan | to 3.6.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in SiYuan, an open-source personal knowledge management system, in versions 3.6.3 and below. It involves the rendering of Mermaid diagrams with the securityLevel set to "loose". The resulting SVG is injected into the DOM using innerHTML, which allows attacker-controlled javascript: URLs within Mermaid code blocks to persist in the rendered output.
On desktop builds using Electron, windows are created with nodeIntegration enabled and contextIsolation disabled. This configuration escalates the stored cross-site scripting (XSS) vulnerability to arbitrary code execution when a victim opens a note containing a malicious Mermaid block and clicks the rendered diagram node.
This issue was fixed in version 3.6.4.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows an attacker to execute arbitrary code on the victim's machine. Specifically, when a user opens a note containing a malicious Mermaid diagram and interacts with it, the attacker-controlled javascript can run with elevated privileges due to Electron's nodeIntegration being enabled and contextIsolation disabled.
The consequences include complete compromise of the affected system, potentially leading to data theft, system manipulation, or further malware installation.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade SiYuan to version 3.6.4 or later, where the issue has been fixed.
Avoid opening notes containing Mermaid diagrams from untrusted sources, especially on desktop builds using Electron with nodeIntegration enabled and contextIsolation disabled.