CVE-2026-59855

SiYuan · SiYuan

SiYuan is vulnerable to stored Cross-Site Scripting (XSS) due to improper neutralization of script-related HTML tags, potentially allowing remote execution of malicious scripts.

Executive summary

An unauthenticated Cross-Site Scripting (XSS) vulnerability in SiYuan could allow attackers to execute arbitrary code in the context of a user's session.

Vulnerability

This is a stored Cross-Site Scripting (XSS) vulnerability (CWE-80) resulting from the failure to properly sanitize HTML input. As the attack vector is network-based and requires no authentication, an attacker can inject malicious scripts into the application that execute when viewed by other users.

Business impact

Successful exploitation of this vulnerability can lead to full account takeover, session hijacking, and the theft of sensitive personal knowledge data stored within the SiYuan instance. With a CVSS score of 8.6, this flaw presents a high risk of unauthorized access and potential data exfiltration, significantly impacting the confidentiality and integrity of the user's workspace.

Remediation

Immediate Action: Upgrade to SiYuan version 3.7.1 or later immediately to incorporate the necessary input sanitization patches.

Proactive Monitoring: Review web access logs for unusual patterns or payloads containing script tags associated with user input fields.

Compensating Controls: Implement a strict Content Security Policy (CSP) to restrict the sources from which scripts can be loaded, which may mitigate the impact of XSS attacks.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the high CVSS severity and the ease of exploitation, organizations and individuals using SiYuan must prioritize updating to version 3.7.1. Failure to patch may allow attackers to compromise the integrity of the knowledge management system and gain unauthorized access to stored data.