Cyber Resilience

CVE-2026-41421

High

Published: 24 April 2026

Published
24 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0013 3.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41421 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-41421 affects SiYuan, an open-source personal knowledge management system, specifically in desktop builds prior to version 3.6.5. The vulnerability stems from the rendering of notification messages as raw HTML within an Electron renderer process. The POST /api/notification/pushMsg endpoint accepts a user-controlled "msg" value, which is forwarded through the backend broadcast layer and inserted into the DOM via insertAdjacentHTML() in message.ts. Due to Electron window configuration in main.js—setting nodeIntegration: true, contextIsolation: false, and webSecurity: false—this results in more than standard XSS, enabling JavaScript from the notification to access Node.js APIs directly.

An attacker with local access and low privileges (PR:L) can exploit this with low complexity (AC:L) and no user interaction (UI:N), achieving scope change (S:C) for high confidentiality, integrity, and availability impacts (CVSS 8.8). By crafting a malicious notification message containing JavaScript, the attacker triggers execution in the renderer context, escalating to arbitrary desktop code execution via Node APIs. The CVEs are tagged as CWE-78 (OS Command Injection) and CWE-79 (XSS), reflecting the injection and cross-site scripting nature leading to remote code execution.

The GitHub Security Advisory (GHSA-grjj-6f6g-cq8q) confirms the issue is fixed in SiYuan 3.6.5. Security practitioners should advise users to update to version 3.6.5 or later to mitigate the vulnerability, as no workarounds are detailed in available references.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, SiYuan desktop renders notification messages as raw HTML inside an Electron renderer. The notification route POST /api/notification/pushMsg accepts a user-controlled msg value, forwards it through the backend broadcast layer,…

more

and the frontend inserts it into the DOM with insertAdjacentHTML(...) at message.ts. On desktop builds, this is not limited to ordinary XSS. Electron windows are created with nodeIntegration: true, contextIsolation: false, and webSecurity: false at main.js. As a result, JavaScript executed from the notification sink can directly access Node APIs and escalate to desktop code execution. This vulnerability is fixed in 3.6.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability in the SiYuan desktop Electron client allows local low-privileged attackers to exploit HTML injection (XSS) combined with nodeIntegration enabled to achieve arbitrary code execution via Node.js APIs, directly mapping to client application exploitation for code execution (T1203) and privilege escalation to full system control (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34558Shared CWE-79
CVE-2025-12744Shared CWE-78
CVE-2025-24576Shared CWE-79
CVE-2026-5967Shared CWE-78
CVE-2026-21418Shared CWE-78
CVE-2026-33066Shared CWE-79
CVE-2025-24385Shared CWE-78
CVE-2025-0447Shared CWE-79
CVE-2026-4369Shared CWE-79
CVE-2026-27806Shared CWE-78

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Filters raw HTML in user-controlled notification messages before DOM insertion via insertAdjacentHTML to directly prevent XSS exploitation.

prevent

Enforces process isolation in Electron renderer to block JavaScript from accessing Node APIs despite XSS, preventing escalation to arbitrary code execution.

prevent

Validates the user-controlled 'msg' input in POST /api/notification/pushMsg endpoint to reject malicious HTML and JavaScript payloads.

References