Back to CVE List

CVE-2026-40107

HIGH SEVERITY

CVSS Score & Metrics

Base Score
6.5 / 10
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Vulnerability Description

SiYuan is a personal knowledge management system. Prior to 3.6.4, SiYuan configures Mermaid.js with securityLevel: "loose" and htmlLabels: true. In this mode, <img> tags with src attributes survive Mermaid's internal DOMPurify and land in SVG <foreignObject> blocks. The SVG is injected via innerHTML with no secondary sanitization. When a victim opens a note containing a malicious Mermaid diagram, the Electron client fetches the URL. On Windows, a protocol-relative URL (//attacker.com/image.png) resolves as a UNC path (\\attacker.com\image.png). Windows attempts SMB authentication automatically, sending the victim's NTLMv2 hash to the attacker. This vulnerability is fixed in 3.6.4.

Vulnerability Details

Published Date
Last Modified
CWE ID
CWE-918
Source
NVD
Vendor
siyuan-note
Product
siyuan

External References

Discussion (0)

Add Comment

No comments yet. Be the first!