Home / Vulnerability Intelligence / CVE-2026-40322

CVE-2026-40322 - Vulnerability Analysis

CriticalCVSS: 9.0

Last Updated: April 16, 2026

SiYuan - Stored XSS & Remote Code Execution

Published: April 16, 2026Updated: April 16, 2026Remote Exploitable

Overview

SiYuan <= 3.6.3 contains a stored XSS caused by rendering Mermaid diagrams with securityLevel set to "loose" and injecting SVG via innerHTML, letting attackers execute arbitrary code on Electron desktop builds, exploit requires victim to open and interact with malicious Mermaid diagram.

Severity & Score

Severity: Critical

CVSS Score: 9.0

Impact

Attackers can execute arbitrary code on victim's desktop application, leading to full system compromise.

Mitigation

Update to version 3.6.4 or later.

References

https://github.com/siyuan-note/siyuan/releases/tag/v3.6.4
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-x63q-3rcj-hhp5

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-40322
Severity: Critical
CVSS Score: 9.0
Type: stored_xss
Status: new

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H