A stored cross-site scripting vulnerability in SiYuan allows an attacker to achieve remote code execution on a victim's machine by syncing a malicious note.

The vulnerability is caused by improper escaping of table caption content, which creates a stored XSS sink. Because the desktop client (based on Electron) operates with nodeIntegration enabled and contextIsolation disabled, the injected JavaScript gains full access to Node.js APIs, enabling remote code execution.

With a CVSS score of 9.0, this flaw poses a severe risk to users. Exploitation allows an attacker to execute arbitrary commands on the user's local workstation, potentially leading to the theft of local credentials, private notes, and complete compromise of the local environment.

Immediate Action: Update the SiYuan desktop client to version 3.6.4 or later immediately.

Proactive Monitoring: Users should monitor for suspicious note activity or unexpected synchronization behavior if they suspect their account has been compromised.

Compensating Controls: While difficult to mitigate via network controls, users should avoid syncing or opening notes from untrusted or unknown sources within the SiYuan platform.

Public Exploit Available: No

All users of the SiYuan desktop client must update to version 3.6.4 or later. Given the ability to achieve code execution through simple note synchronization, this update should be treated as a high-priority security maintenance task.