CVE-2026-39846
Published April 8, 2026 · Updated April 8, 2026
What This Means
CVE-2026-39846 is a critical remote code execution vulnerability affecting SiYuan versions prior to 3.6.4. An attacker can exploit this flaw by creating a malicious note that, when synced to another user, allows the execution of malicious JavaScript in the SiYuan Electron desktop client due to improper handling of table caption content. To mitigate this risk, users must upgrade to version 3.6.4 or later immediately.
Official Description+
SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another user can trigger remote code execution in the SiYuan Electron desktop client. The root cause is that table caption content is stored without safe escaping and later unescaped into rendered HTML, creating a stored XSS sink. Because the desktop renderer runs with nodeIntegration enabled and contextIsolation disabled, attacker-controlled JavaScript executes with access to Node.js APIs. In practice, an attacker can import a crafted note into a synced workspace, wait for the victim to sync, and achieve code execution when the victim opens the note. This vulnerability is fixed in 3.6.4.
Recommended Actions
- Check if your systems use any of the affected products listed above.
- Apply vendor patches immediately if available.
- Monitor vendor advisories for updates and additional mitigations.
- Review logs for indicators of compromise related to CVE-2026-39846.