An attacker can achieve full Remote Code Execution on a victim's machine by placing a malicious URL in a shared SiYuan note, which executes with system privileges when viewed.

This is a stored Cross-Site Scripting (XSS) vulnerability within the Attribute View's mAsse field. Because the Electron client has nodeIntegration enabled and contextIsolation disabled, an authenticated attacker can inject JavaScript that bypasses the browser sandbox to execute arbitrary OS commands under the victim's account.

The impact is the complete compromise of the victim's workstation. Since the XSS is stored, any user who views the affected note or gallery view will be compromised. This could lead to lateral movement within a corporate network and the theft of sensitive intellectual property stored within the knowledge management system. The CVSS score of 9 reflects this high severity.

Immediate Action: Update SiYuan to version 3.6.2 or later, which properly escapes URLs and hardens the Electron environment.

Proactive Monitoring: Scan the application database for suspicious http or https strings in the mAsse fields that contain shell commands or obfuscated JavaScript.

Compensating Controls: Disable the "Gallery" and "Kanban" views if they are not required, as these are the primary vectors for triggering the malicious payload.

Public Exploit Available: No

The combination of stored XSS and a poorly secured Electron environment provides a direct path to RCE. Users should be advised not to open notes from untrusted sources until the application is updated to version 3.6.2. Immediate patching is required to mitigate the risk of account and system takeover.