Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-40322

CVE-2026-40322: SiYuan Knowledge Management RCE Vulnerability

CVE-2026-40322 is a remote code execution vulnerability in SiYuan knowledge management system affecting versions 3.6.3 and below. Malicious Mermaid diagrams can execute arbitrary code. This article covers technical details, impact, and mitigation.

Published:

CVE-2026-40322 Overview

CVE-2026-40322 is a critical Cross-Site Scripting (XSS) vulnerability in SiYuan, an open-source personal knowledge management system. The vulnerability exists in versions 3.6.3 and below, where Mermaid diagrams are rendered with securityLevel set to "loose", and the resulting SVG is injected into the DOM via innerHTML. This allows attacker-controlled javascript: URLs in Mermaid code blocks to survive into the rendered output. On desktop builds using Electron, windows are created with nodeIntegration enabled and contextIsolation disabled, escalating the stored XSS to arbitrary code execution when a victim opens a note containing a malicious Mermaid block and clicks the rendered diagram node.

Critical Impact

This vulnerability enables attackers to achieve arbitrary code execution on desktop Electron builds through a stored XSS attack vector, potentially compromising the entire system when a victim interacts with a malicious Mermaid diagram.

Affected Products

  • SiYuan versions 3.6.3 and below
  • SiYuan Desktop (Electron-based builds)
  • SiYuan installations using Mermaid diagram rendering

Discovery Timeline

  • 2026-04-16 - CVE-2026-40322 published to NVD
  • 2026-04-16 - Last updated in NVD database

Technical Details for CVE-2026-40322

Vulnerability Analysis

This vulnerability represents a dangerous combination of insecure content rendering and Electron security misconfigurations. The root issue lies in how SiYuan processes Mermaid diagram content within notes. When a user creates or opens a note containing a Mermaid code block, the application renders the diagram with the Mermaid library's securityLevel option configured as "loose" rather than the more restrictive "strict" setting.

With loose security, Mermaid allows potentially dangerous content such as javascript: protocol handlers to be included in diagram node definitions. This rendered SVG content is then inserted directly into the page DOM using innerHTML, bypassing any sanitization that might otherwise strip malicious scripts.

On its own, this stored XSS vulnerability would be concerning but limited in scope. However, SiYuan's Electron configuration dramatically amplifies the impact. The application creates browser windows with nodeIntegration: true and contextIsolation: false, meaning JavaScript executing in the renderer process has direct access to Node.js APIs. An attacker exploiting this XSS can therefore execute arbitrary system commands, read and write files, and fully compromise the victim's machine.

Root Cause

The vulnerability stems from two compounding security weaknesses. First, the Mermaid diagram renderer is configured with securityLevel: "loose", which permits dangerous content like javascript: URLs in diagram nodes. Second, the rendered SVG is inserted into the DOM using innerHTML without proper sanitization. Combined with Electron's insecure default configuration (nodeIntegration: true, contextIsolation: false), this allows XSS payloads to escalate to full code execution with Node.js capabilities.

Attack Vector

The attack requires an attacker to craft a malicious note containing a specially crafted Mermaid diagram code block. The Mermaid syntax allows defining clickable nodes with URL handlers. By embedding a javascript: URL containing malicious code, the attacker can create a diagram that executes arbitrary JavaScript when clicked.

When a victim opens the note and clicks on the malicious diagram node, the JavaScript executes within the Electron renderer context. Due to the enabled nodeIntegration and disabled contextIsolation, this JavaScript has full access to Node.js APIs, allowing the attacker to spawn child processes, access the file system, or perform any operation the user account permits.

The attack requires user interaction (clicking the diagram node), making it a network-based attack requiring low privileges and user interaction.

Detection Methods for CVE-2026-40322

Indicators of Compromise

  • Presence of notes containing Mermaid code blocks with javascript: protocol URLs
  • Unusual child processes spawned from the SiYuan Electron application
  • File system modifications originating from the SiYuan process outside normal application directories
  • Network connections initiated by SiYuan to unexpected external hosts

Detection Strategies

  • Monitor for Mermaid diagram content containing javascript:, data:, or other dangerous URI schemes in stored notes
  • Implement endpoint detection rules for Node.js child process spawning from Electron applications
  • Audit SiYuan note databases for suspicious Mermaid code block patterns
  • Deploy application behavior monitoring to detect anomalous file or network activity from SiYuan

Monitoring Recommendations

  • Enable process creation logging to identify suspicious child processes from SiYuan
  • Monitor file integrity in sensitive directories for changes initiated by the SiYuan process
  • Implement network traffic analysis for unusual outbound connections from note-taking applications
  • Review shared notes or imported content for potentially malicious Mermaid diagrams before opening

How to Mitigate CVE-2026-40322

Immediate Actions Required

  • Upgrade SiYuan to version 3.6.4 or later immediately
  • Review any recently received or imported notes for suspicious Mermaid diagram content
  • Avoid clicking on diagram nodes in notes from untrusted sources until patched
  • Consider temporarily disabling Mermaid diagram rendering if upgrade is not immediately possible

Patch Information

The vulnerability has been addressed in SiYuan version 3.6.4. Users should upgrade immediately to receive the security fix. The patch addresses the insecure Mermaid securityLevel configuration and improves content sanitization before DOM insertion. For detailed release information, refer to the SiYuan v3.6.4 Release Notes. Additional technical details are available in the GitHub Security Advisory GHSA-x63q-3rcj-hhp5.

Workarounds

  • Avoid opening notes from untrusted sources containing Mermaid diagrams
  • Do not click on diagram nodes until the application is upgraded to version 3.6.4
  • Review and sanitize any imported or shared notes before opening
  • Consider using SiYuan's web version if available, as it may have different security constraints than the Electron desktop build

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne