CVE-2026-39846
Published: 07 April 2026
Summary
CVE-2026-39846 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in B3Log Siyuan. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 39.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the storage of table caption content without safe escaping by validating and sanitizing inputs to prevent creation of the stored XSS sink.
Prevents the unescaping of stored content into rendered HTML by filtering outputs, blocking XSS payload execution in the renderer.
Enforces secure Electron configuration settings like disabling nodeIntegration and enabling contextIsolation to block XSS escalation to Node.js RCE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a stored XSS in the Electron desktop client leading to RCE via Node.js APIs when victims open a malicious note in a shared workspace, directly enabling Exploitation for Client Execution (T1203) and Taint Shared Content (T1080).
NVD Description
SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another user can trigger remote code execution in the SiYuan Electron desktop client. The root cause is that table caption content is stored without safe…
more
escaping and later unescaped into rendered HTML, creating a stored XSS sink. Because the desktop renderer runs with nodeIntegration enabled and contextIsolation disabled, attacker-controlled JavaScript executes with access to Node.js APIs. In practice, an attacker can import a crafted note into a synced workspace, wait for the victim to sync, and achieve code execution when the victim opens the note. This vulnerability is fixed in 3.6.4.
Deeper analysisAI
CVE-2026-39846 is a remote code execution vulnerability in the SiYuan personal knowledge management system, specifically affecting the Electron desktop client versions prior to 3.6.4. The issue stems from table caption content being stored without proper safe escaping and later unescaped into rendered HTML, resulting in a stored cross-site scripting (XSS) sink (CWE-79). Due to the desktop renderer operating with nodeIntegration enabled and contextIsolation disabled, attacker-controlled JavaScript gains access to Node.js APIs, escalating the XSS into arbitrary code execution (CWE-94).
An attacker with low privileges (PR:L) in a shared workspace can exploit this by importing a malicious note. When a victim user syncs the workspace and opens the note, user interaction (UI:R) triggers the payload, enabling network-accessible (AV:N) execution in a changed scope (S:C) with high confidentiality, integrity, and availability impacts (C:H/I:H/A:H). This allows full system compromise on the victim's machine.
The GitHub Security Advisory (GHSA-phhp-9rm9-6gr2) confirms the vulnerability is fixed in SiYuan version 3.6.4, recommending users update to this release for mitigation.
Details
- CWE(s)