CVE-2026-40322
Published: 16 April 2026
Summary
CVE-2026-40322 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in B3Log Siyuan. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 14.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Filters SVG output from Mermaid rendering to block javascript: URLs before innerHTML injection, directly preventing stored XSS.
Validates Mermaid code inputs to reject malicious content embedding javascript: URLs, stopping exploitation at the input stage.
Enforces secure Electron configuration settings such as nodeIntegration disabled and contextIsolation enabled to block XSS escalation to arbitrary code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The stored XSS via loose Mermaid securityLevel and innerHTML injection in the Electron desktop client (with nodeIntegration enabled) directly enables exploitation of the client application to achieve arbitrary code execution (RCE).
NVD Description
SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, Mermaid diagrams are rendered with securityLevel set to "loose", and the resulting SVG is injected into the DOM via innerHTML. This allows attacker-controlled javascript: URLs in Mermaid…
more
code blocks to survive into the rendered output. On desktop builds using Electron, windows are created with nodeIntegration enabled and contextIsolation disabled, escalating the stored XSS to arbitrary code execution when a victim opens a note containing a malicious Mermaid block and clicks the rendered diagram node. This issue has been fixed in version 3.6.4.
Deeper analysisAI
CVE-2026-40322 is a high-severity vulnerability (CVSS 9.0) affecting SiYuan, an open-source personal knowledge management system, in versions 3.6.3 and prior. The issue stems from Mermaid diagrams being rendered with a "loose" securityLevel, producing SVGs that are injected into the DOM using innerHTML. This permits attacker-controlled javascript: URLs embedded in Mermaid code blocks to persist in the output, enabling stored cross-site scripting (XSS; CWE-79) and code injection (CWE-94). The vulnerability is particularly severe in desktop builds based on Electron, where windows are launched with nodeIntegration enabled and contextIsolation disabled.
An attacker with low privileges (PR:L) can exploit this by inserting a malicious Mermaid diagram into a note. A victim user interaction (UI:R) is required: opening the note and clicking the rendered diagram node triggers the javascript: URL, leading to stored XSS. In Electron desktop environments, this escalates to arbitrary code execution (C:H/I:H/A:H) with network accessibility (AV:N/AC:L) and scope change (S:C), potentially compromising the victim's system fully.
The vulnerability has been addressed in SiYuan version 3.6.4, as detailed in the project's release notes and GitHub Security Advisory GHSA-x63q-3rcj-hhp5. Security practitioners should urge users to update to 3.6.4 or later, verify note contents from untrusted sources, and consider disabling or sandboxing Mermaid rendering in affected deployments until patched.
Details
- CWE(s)