Home / Vulnerability Intelligence / CVE-2026-44586

CVE-2026-44586 - Vulnerability Analysis

HighCVSS: 8.3

Last Updated: May 14, 2026

SiYuan - Stored XSS & Remote Code Execution

Published: May 14, 2026Updated: May 14, 2026Remote Exploitable

Overview

SiYuan 2.1.12 to < 3.7.0 contains a stored XSS caused by unescaped package author metadata rendering in the Bazaar marketplace, letting remote attackers execute code on the host via Node.js APIs, exploit requires user to load malicious metadata.

Severity & Score

Severity: High

CVSS Score: 8.3

Impact

Attackers can execute arbitrary code on the host system, potentially leading to full system compromise.

Mitigation

Update to version 3.7.0 or later.

References

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-x6wf-w2rg-2gw9

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-44586
Severity: High
CVSS Score: 8.3
Type: stored_xss
Status: rejected

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H