Cyber Resilience

CVE-2026-44586

HighRCE

Published: 14 May 2026

Published
14 May 2026
Modified
14 May 2026
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0031 22.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-44586 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without escaping. In the desktop app this becomes stored XSS, and because…

more

SiYuan's Electron windows are created with nodeIntegration: true and contextIsolation: false, a successful payload can call Node.js APIs and execute code on the host. This vulnerability is fixed in 3.7.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Stored XSS in public Bazaar feed (CWE-79) rendered unsafely in privileged Electron context (nodeIntegration:true) directly enables remote code execution on host via the public-facing desktop application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-43892Shared CWE-79, CWE-94
CVE-2024-11600Shared CWE-94
CVE-2025-6000Shared CWE-94
CVE-2026-38992Shared CWE-94
CVE-2026-24937Shared CWE-94
CVE-2022-50806Shared CWE-94
CVE-2026-36340Shared CWE-94
CVE-2024-11635Shared CWE-94
CVE-2024-9132Shared CWE-94
CVE-2025-65854Shared CWE-94

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79 CWE-94

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References