NIXPKGS-2026-1145

GitHub issue published on

Permalink CVE-2026-40322

9.1 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated an hour ago by @LeSuisse Activity log

Created automatic suggestion 11 hours ago
@LeSuisse accepted an hour ago
@LeSuisse published on GitHub an hour ago

SiYuan: Mermaid `javascript:` Link Injection Leads to Stored XSS and Electron RCE

SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, Mermaid diagrams are rendered with securityLevel set to "loose", and the resulting SVG is injected into the DOM via innerHTML. This allows attacker-controlled javascript: URLs in Mermaid code blocks to survive into the rendered output. On desktop builds using Electron, windows are created with nodeIntegration enabled and contextIsolation disabled, escalating the stored XSS to arbitrary code execution when a victim opens a note containing a malicious Mermaid block and clicks the rendered diagram node. This issue has been fixed in version 3.6.4.

References

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-x63q-3rcj-hhp5 x_refsource_CONFIRM
https://github.com/siyuan-note/siyuan/releases/tag/v3.6.4 x_refsource_MISC

Affected products

siyuan

==< 3.6.4

Matching in nixpkgs

pkgs.siyuan

Privacy-first personal knowledge management system that supports complete offline usage, as well as end-to-end encrypted data sync

nixos-unstable 3.6.3
- nixpkgs-unstable 3.6.3
- nixos-unstable-small 3.6.3
nixos-25.11 3.6.2
- nixos-25.11-small 3.6.2
- nixpkgs-25.11-darwin 3.6.2

Package maintainers

@L-Trump Luo Chen <ltrump@163.com>
@TomaSajt TomaSajt

Nixpkgs security tracker

Details of issue NIXPKGS-2026-1145

References

Affected products

Matching in nixpkgs

pkgs.siyuan

Package maintainers