What is CVE-2026-44586?

CVE-2026-44586 is a high-severity vulnerability in Siyuan-note Siyuan, classified under Cross-site Scripting. CVSS score: 8.3/10. Published 2026-05-14.

How severe is CVE-2026-44586?

High severity. CVSS v3 base score is 8.3 out of 10.

RCE in Siyuan-note Siyuan

CVE-2026-44586

SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without escaping. In the desktop app this b…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.001 (17.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.3 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H.

Affected products

Siyuan-note Siyuan — versions >= 2.1.12, < 3.7.0

Weakness classification (CWE)

CWE-79 — Cross-site Scripting
CWE-94 — Code Injection

References

security-advisories@github.com (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-44586?: CVE-2026-44586 is a high-severity vulnerability in Siyuan-note Siyuan, classified under Cross-site Scripting. CVSS score: 8.3/10. Published 2026-05-14.
How severe is CVE-2026-44586?: High severity. CVSS v3 base score is 8.3 out of 10.