Critical Stored XSS Vulnerability in SiYuan Leads to RCE Risk

SiYuan disclosed a critical stored cross-site scripting vulnerability (CVE-2026-54158) that can escalate to remote code execution in its Electron desktop client. The flaw affects versions prior to 3.7.0 and is due to unsafe HTML rendering in attribute-view cells, particularly in the genAVValueHTML() function. Attackers can exploit this vulnerability by inserting malicious content into text, URL, phone, and asset fields, which is then rendered without proper escaping. The impact is exacerbated by insecure Electron settings, allowing injected JavaScript to access Node.js APIs. Malicious payloads can persist in workspace JSON data and spread through normal sync or collaborative workflows. The vulnerability has a CVSS score of 9.9 and has been patched in version 3.7.0. Security advisories recommend immediate upgrades and stronger output encoding to mitigate risks.

Key Points: • CVE-2026-54158 is a critical stored XSS vulnerability in SiYuan affecting versions before 3.7.0. • The flaw allows remote code execution due to unsafe HTML rendering in attribute-view cells. • Users are urged to upgrade to SiYuan version 3.7.0 to mitigate the risk of exploitation.