CVE-2026-50551 | SiYuan is an open-source personal knowledge management syste… | CVSS 9.9 CRITICAL

Description

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan contains a stored cross-site scripting (XSS) vulnerability in the Attribute View (database) asset cell renderer that escalates to remote code execution (RCE) in the Electron desktop client. This vulnerability is fixed in 3.7.0.

Metadata

CVE ID: CVE-2026-50551
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-04 20:37 UTC
Published: 2026-06-24 21:20 UTC
Last updated: 2026-06-24 21:20 UTC
Primary CWE: CWE-79
CWE-79: Improper Neutralization of Input During Web Page Gen…
Vendor / Product: siyuan-note / siyuan
Sources: cve.org · NVD

Severity & Metrics

9.9 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected products (1)

Vendor	Product	Platform	Versions
siyuan-note	siyuan	—	< 3.7.0

Weakness (CWE)

CWE	Source	Description
CWE-79	cna	CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.9	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References (1)

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-56mp-4f3v-fgj2 https://github.com/siyuan-note/siyuan/security/advisories/GHSA-56mp-4f3v-fgj2