CVE-2026-59855
Deferred Deferred - Pending Action

SiYuan Path Traversal to Remote Code Execution

Vulnerability report for CVE-2026-59855, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, Asset.render in app/src/asset/index.ts interpolates the unsanitized this.path value into HTML assigned to innerHTML, allowing a crafted asset link containing a double quote to break out of the src attribute, inject an event handler, and execute JavaScript that can run OS commands in the Electron renderer. This issue is fixed in versions 3.7.1-alpha.2 and 3.7.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
siyuan si_yuan to 3.7.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker to execute arbitrary JavaScript and potentially run OS commands on the victim's machine by exploiting a Cross-Site Scripting (XSS) flaw in the SiYuan application. Such unauthorized code execution and system compromise can lead to unauthorized access to sensitive data.

Because the vulnerability can result in full system compromise and unauthorized data access, it poses significant risks to compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Failure to address this vulnerability could lead to violations of these standards due to potential data breaches, unauthorized data processing, and lack of adequate security controls.

Executive Summary

This vulnerability exists in SiYuan, an open-source personal knowledge management system, in versions prior to 3.7.1. The issue is in the Asset.render function where an unsanitized path value is interpolated directly into HTML assigned to innerHTML. This allows an attacker to craft an asset link containing a double quote that breaks out of the src attribute, injects an event handler, and executes JavaScript code. The JavaScript can then run operating system commands within the Electron renderer environment.

Impact Analysis

This vulnerability can lead to remote code execution within the Electron renderer process. An attacker exploiting this flaw can execute arbitrary JavaScript that may run OS commands on the affected system. This can result in unauthorized control over the system, data theft, or further compromise of the environment where SiYuan is used.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade SiYuan to version 3.7.1-alpha.2 or later, or version 3.7.1 or later, where the issue has been fixed.

Detection Guidance

This vulnerability involves a DOM-based Cross-Site Scripting (XSS) flaw in the SiYuan application where unsanitized asset paths are interpolated into HTML, allowing execution of arbitrary JavaScript and OS commands. Detection on a network or system would involve identifying attempts to exploit this by looking for crafted asset links containing special characters like double quotes that break out of HTML attributes.

Since the vulnerability is triggered by clicking a crafted link in the SiYuan application, detection can focus on monitoring for suspicious asset paths or HTML content containing unescaped quotes or event handlers in the application data or logs.

Specific commands to detect exploitation attempts are not provided in the available resources. However, general approaches could include:

  • Searching application logs or saved documents for asset paths containing suspicious characters such as double quotes (") or event handler attributes (e.g., onerror, onclick).
  • Using network monitoring tools to detect HTTP requests or WebSocket messages containing suspicious payloads targeting the asset rendering functionality.
  • Employing content scanning tools or scripts to parse SiYuan documents or data files for unescaped HTML attributes or embedded scripts.

Because the vulnerability is specific to the SiYuan desktop application and its internal rendering of assets, detection commands would be highly context-dependent and may require custom scripts or manual inspection.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59855. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart