CVE-2026-40322
Received Received - Intake
Stored XSS in SiYuan Mermaid Rendering Enables Code Execution

Publication date: 2026-04-16

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, Mermaid diagrams are rendered with securityLevel set to "loose", and the resulting SVG is injected into the DOM via innerHTML. This allows attacker-controlled javascript: URLs in Mermaid code blocks to survive into the rendered output. On desktop builds using Electron, windows are created with nodeIntegration enabled and contextIsolation disabled, escalating the stored XSS to arbitrary code execution when a victim opens a note containing a malicious Mermaid block and clicks the rendered diagram node. This issue has been fixed in version 3.6.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-16
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-17
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40322
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
b3log siyuan to 3.6.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in SiYuan, an open-source personal knowledge management system, in versions 3.6.3 and below. It involves the rendering of Mermaid diagrams with the securityLevel set to "loose". The resulting SVG is injected into the DOM using innerHTML, which allows attacker-controlled javascript: URLs within Mermaid code blocks to persist in the rendered output.

On desktop builds using Electron, windows are created with nodeIntegration enabled and contextIsolation disabled. This configuration escalates the stored cross-site scripting (XSS) vulnerability to arbitrary code execution when a victim opens a note containing a malicious Mermaid block and clicks the rendered diagram node.

This issue was fixed in version 3.6.4.

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker to execute arbitrary code on the victim's machine. Specifically, when a user opens a note containing a malicious Mermaid diagram and interacts with it, the attacker-controlled javascript can run with elevated privileges due to Electron's nodeIntegration being enabled and contextIsolation disabled.

The consequences include complete compromise of the affected system, potentially leading to data theft, system manipulation, or further malware installation.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade SiYuan to version 3.6.4 or later, where the issue has been fixed.

Avoid opening notes containing Mermaid diagrams from untrusted sources, especially on desktop builds using Electron with nodeIntegration enabled and contextIsolation disabled.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40322. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart