A critical vulnerability in SiYuan allows unauthenticated attackers to achieve arbitrary code execution via malicious Mermaid diagram injections.

This vulnerability involves an improper rendering of Mermaid diagrams where "loose" security settings allow JavaScript injection. When processed within an Electron environment lacking context isolation, this stored XSS is escalated to arbitrary code execution.

The ability to execute arbitrary code on a user's machine poses a severe risk to confidentiality, integrity, and availability. With a CVSS score of 9.0, this flaw allows an attacker to compromise local data, install persistence, or pivot into the internal network.

Immediate Action: Upgrade the SiYuan application to version 3.6.4 or later immediately.

Proactive Monitoring: Review audit logs for suspicious activity involving note creation or unexpected external network connections originating from the application.

Compensating Controls: Restrict the use of untrusted Mermaid diagrams within the workspace until the patch is applied.

Public Exploit Available: Unknown

Given the potential for complete system compromise, organizations should prioritize the update to version 3.6.4 across all desktop instances. Failure to patch leaves the local environment exposed to malicious code execution.