A critical XSS vulnerability in SiYuan's CSS snippet rendering allows for remote code execution on Electron-based desktop clients when malicious snippets are synced and rendered.

This vulnerability involves improper sanitization of CSS snippet bodies, where an attacker can inject malicious tags to break out of the rendering context. Because the Electron renderer operates with nodeIntegration:true, this XSS can be escalated to full RCE by an authenticated user with write access to a synced workspace.

The potential for remote code execution on the host machine presents an extreme risk to organizational data and system integrity. Given the 9.9 CVSS score, this vulnerability could allow an attacker to gain full control over the user's local environment, potentially exfiltrating sensitive knowledge management data or moving laterally within the network.

Immediate Action: Upgrade all SiYuan desktop instances to version 3.7.0 or later immediately to patch the rendering logic.

Proactive Monitoring: Review workspace repository logs for unauthorized modifications or suspicious CSS snippet injections.

Compensating Controls: Restrict write access to shared workspaces and enforce strict policies on the use of custom CSS or JS snippets within the knowledge base.

Public Exploit Available: No

The severity of this flaw cannot be overstated, as it transitions a simple XSS into a full system compromise. Organizations utilizing SiYuan must prioritize the update to version 3.7.0 across all client machines to mitigate the risk of RCE.