Home / Vulnerability Intelligence / CVE-2026-40922

CVE-2026-40922 - Vulnerability Analysis

MediumCVSS: 5.4

Last Updated: April 20, 2026

SiYuan - Stored XSS

Published: April 17, 2026Updated: April 20, 2026PoC AvailableRemote Exploitable

Overview

SiYuan 3.6.1 through 3.6.3 contains a stored XSS caused by insufficient sanitization of iframe srcdoc attributes in bazaar README rendering, letting malicious package authors execute arbitrary code in Electron context, exploit requires viewing the malicious package in marketplace UI.

Severity & Score

Severity: Medium

CVSS Score: 5.4

Impact

Attackers can execute arbitrary code with full application privileges on the user's machine.

Mitigation

Update to version 3.6.4 or later.

References

https://github.com/advisories/GHSA-4663-4mpg-879v
https://github.com/siyuan-note/siyuan/commit/b382f50e1880ed996364509de5a10a72d7409428
https://github.com/siyuan-note/siyuan/releases/tag/v3.6.4
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-8q5w-mmxf-48jg

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-40922
Severity: Medium
CVSS Score: 5.4
Type: stored_xss
Status: modified

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N