CVE-2026-39846: SiYuan: Remote Code Execution in the Electron desktop client via stored XSS in synced table captions

April 8, 2026

A malicious note synced to another user can trigger remote code execution in the SiYuan Electron desktop client. The root cause is that table caption content is stored without safe escaping and later unescaped into rendered HTML, creating a stored XSS sink. Because the desktop renderer runs with nodeIntegration enabled and contextIsolation disabled, attacker-controlled JavaScript executes with access to Node.js APIs. In practice, an attacker can import a crafted note into a synced workspace, wait for the victim to sync, and achieve code execution when the victim opens the note.

References

github.com/advisories/GHSA-phhp-9rm9-6gr2
github.com/siyuan-note/siyuan
github.com/siyuan-note/siyuan/security/advisories/GHSA-phhp-9rm9-6gr2
nvd.nist.gov/vuln/detail/CVE-2026-39846

Code Behaviors & Features

Detect and mitigate CVE-2026-39846 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →