CVE-2026-39846: CVE-2026-39846: Remote Code Execution via Stored XSS in SiYuan Electron Client

CVE-2026-39846: Remote Code Execution via Stored XSS in SiYuan Electron Client

Vulnerability ID: CVE-2026-39846
CVSS Score: 9.1
Published: 2026-04-08

The SiYuan Electron desktop client contains a critical vulnerability allowing for unauthenticated Remote Code Execution. By exploiting a stored Cross-Site Scripting flaw in table captions, attackers leverage insecure Electron configurations to execute arbitrary system commands via note synchronization.

TL;DR

SiYuan versions prior to 3.6.4 suffer from a stored XSS in table captions. This escalates to full Remote Code Execution due to insecure Electron framework settings (nodeIntegration enabled). Attackers exploit this via malicious synced notes.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-79, CWE-94
• Attack Vector: Network (Workspace Sync)
• CVSS v3.1: 9.1
• EPSS Score: 0.00138 (33.98%)
• Impact: Critical (Remote Code Execution)
• Exploit Status: Proof of Concept Available

Affected Systems

• SiYuan Electron Desktop Client
• SiYuan: < 3.6.4 (Fixed in: 3.6.4)

Exploit Details

• GitHub Security Advisory: Node.js child_process RCE payload documentation

Mitigation Strategies

• Update application to the fixed release
• Disable synchronization with untrusted workspaces
• Implement strong EDR monitoring for process execution anomalies

Remediation Steps:

1. Download SiYuan version 3.6.4 or later from the official repository.
2. Install the update over the existing application to preserve local notes.
3. Verify the application version in the settings menu.
4. If utilizing shared workspaces, coordinate with other users to ensure all clients are updated to prevent re-infection.

References

• GHSA-phhp-9rm9-6gr2
• CVE-2026-39846
• Technical Analysis

---

Read the full report for CVE-2026-39846 on our website for more details including interactive diagrams and full exploit analysis.