CVE-2026-41421
Published: 24 April 2026
Summary
CVE-2026-41421 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-41421 affects SiYuan, an open-source personal knowledge management system, specifically in desktop builds prior to version 3.6.5. The vulnerability stems from the rendering of notification messages as raw HTML within an Electron renderer process. The POST /api/notification/pushMsg endpoint accepts a user-controlled "msg" value, which is forwarded through the backend broadcast layer and inserted into the DOM via insertAdjacentHTML() in message.ts. Due to Electron window configuration in main.js—setting nodeIntegration: true, contextIsolation: false, and webSecurity: false—this results in more than standard XSS, enabling JavaScript from the notification to access Node.js APIs directly.
An attacker with local access and low privileges (PR:L) can exploit this with low complexity (AC:L) and no user interaction (UI:N), achieving scope change (S:C) for high confidentiality, integrity, and availability impacts (CVSS 8.8). By crafting a malicious notification message containing JavaScript, the attacker triggers execution in the renderer context, escalating to arbitrary desktop code execution via Node APIs. The CVEs are tagged as CWE-78 (OS Command Injection) and CWE-79 (XSS), reflecting the injection and cross-site scripting nature leading to remote code execution.
The GitHub Security Advisory (GHSA-grjj-6f6g-cq8q) confirms the issue is fixed in SiYuan 3.6.5. Security practitioners should advise users to update to version 3.6.5 or later to mitigate the vulnerability, as no workarounds are detailed in available references.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25614
Vulnerability details
SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, SiYuan desktop renders notification messages as raw HTML inside an Electron renderer. The notification route POST /api/notification/pushMsg accepts a user-controlled msg value, forwards it through the backend broadcast layer,…
more
and the frontend inserts it into the DOM with insertAdjacentHTML(...) at message.ts. On desktop builds, this is not limited to ordinary XSS. Electron windows are created with nodeIntegration: true, contextIsolation: false, and webSecurity: false at main.js. As a result, JavaScript executed from the notification sink can directly access Node APIs and escalate to desktop code execution. This vulnerability is fixed in 3.6.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in the SiYuan desktop Electron client allows local low-privileged attackers to exploit HTML injection (XSS) combined with nodeIntegration enabled to achieve arbitrary code execution via Node.js APIs, directly mapping to client application exploitation for code execution (T1203) and privilege escalation to full system control (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Filters raw HTML in user-controlled notification messages before DOM insertion via insertAdjacentHTML to directly prevent XSS exploitation.
Enforces process isolation in Electron renderer to block JavaScript from accessing Node APIs despite XSS, preventing escalation to arbitrary code execution.
Validates the user-controlled 'msg' input in POST /api/notification/pushMsg endpoint to reject malicious HTML and JavaScript payloads.