CVE-2026-50551
Received Received - Intake
Stored XSS in SiYuan Prior to 3.7.0

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan contains a stored cross-site scripting (XSS) vulnerability in the Attribute View (database) asset cell renderer that escalates to remote code execution (RCE) in the Electron desktop client. This vulnerability is fixed in 3.7.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-50551
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
si_yuan si_yuan to 3.7.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in SiYuan, an open-source personal knowledge management system, specifically in versions prior to 3.7.0. It is a stored cross-site scripting (XSS) vulnerability located in the Attribute View (database) asset cell renderer. This XSS vulnerability can escalate to remote code execution (RCE) within the Electron desktop client used by SiYuan.

Impact Analysis

This vulnerability can have severe impacts as it allows an attacker to execute arbitrary code remotely on the affected system. Because it escalates from a stored XSS to remote code execution in the Electron desktop client, an attacker could potentially take full control of the user's system, leading to data theft, system compromise, or further attacks.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade SiYuan to version 3.7.0 or later, as this version contains the fix for the stored cross-site scripting (XSS) vulnerability that leads to remote code execution (RCE).

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50551. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart