Critical Stored XSS Vulnerability in SiYuan Enables Remote Code Execution

SiYuan, an open-source personal knowledge management system, has disclosed a critical stored cross-site scripting (XSS) vulnerability that can escalate to remote code execution (RCE) in its Electron desktop client. The flaw, tracked as CVE-2026-54158, affects versions prior to 3.7.0 and arises from unsafe HTML rendering in attribute-view cells. Attackers can exploit this vulnerability by inserting malicious content into text, URL, phone, and asset fields, which is then executed when a victim interacts with the affected content. The impact is exacerbated by insecure Electron settings, allowing injected JavaScript to access Node.js APIs. This vulnerability was published on June 24, 2026, and has a CVSS score of 9.9, indicating its critical nature. Users are advised to upgrade to version 3.7.0 to mitigate the risk. Two related advisories were published on June 3, 2026, highlighting similar stored XSS vulnerabilities in SiYuan's attribute-view rendering.

Key Points: • CVE-2026-54158 allows stored XSS to escalate to RCE in SiYuan's Electron client. • The vulnerability affects all versions prior to 3.7.0 and has a CVSS score of 9.9. • Users are urged to upgrade to SiYuan version 3.7.0 to mitigate the risk.