CVE-2026-54158
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the attribute-view (database) cell renderer genAVValueHTML interpolates cell content raw in four of its branches: text, url, phone, and mAsset. A cell value like </textarea><img src=x onerror="..."> or "><img src=x onerror="..."> breaks out of its surrounding tag and runs arbitrary JavaScript in the renderer when the victim opens the block-attribute panel. On Electron desktop the renderer runs with nodeIntegration:true, so the XSS chains to host RCE via require('child_process'). AV files live under the workspace and ride normal sync, so an attacker with write access to any synced workspace plants the payload once and it fires on every device that opens a panel containing that row.he kernel doesn't escape on the way in either, so the malicious cell persists byte-for-byte. There's no equivalent of the html.EscapeAttrVal call that protects block IAL attributes at kernel/model/blockial.go:261. This vulnerability is fixed in 3.7.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-54158
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in SiYuan, an open-source personal knowledge management system, prior to version 3.7.0. The issue is in the attribute-view (database) cell renderer called genAVValueHTML, which improperly interpolates raw cell content in four branches: text, url, phone, and mAsset. Malicious cell values containing crafted HTML and JavaScript, such as closing tags followed by an image tag with an onerror event, can break out of their intended context and execute arbitrary JavaScript when a user opens the block-attribute panel.

On the Electron desktop version, the renderer runs with nodeIntegration enabled, allowing the cross-site scripting (XSS) attack to escalate to remote code execution (RCE) by using Node.js modules like 'child_process'. Since attribute-view files are synced across devices, an attacker with write access to any synced workspace can plant a payload that executes on every device opening the affected panel. The vulnerability persists because the malicious cell content is not escaped or sanitized properly.

This vulnerability was fixed in version 3.7.0 of SiYuan.

Impact Analysis

This vulnerability can have severe impacts including the execution of arbitrary JavaScript code within the application context when a user opens a block-attribute panel containing the malicious cell.

On Electron desktop versions, this can escalate to remote code execution (RCE) on the host system due to nodeIntegration being enabled, allowing attackers to run system commands via Node.js modules.

Because the malicious payload can be synced across devices through the workspace files, an attacker with write access to any synced workspace can compromise all devices that open the affected panel, leading to widespread compromise.

Overall, this can lead to full system compromise, data theft, unauthorized actions, and loss of integrity and availability of your data and system.

Mitigation Strategies

To mitigate this vulnerability, upgrade SiYuan to version 3.7.0 or later, where the issue is fixed.

Additionally, restrict write access to synced workspaces to prevent attackers from planting malicious payloads.

Be cautious when opening block-attribute panels containing data from untrusted sources, as the vulnerability allows arbitrary JavaScript execution leading to remote code execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54158. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart