RCE in Siyuan-note Siyuan
CVE-2026-44588
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, he tooltip mouseover handler in app/src/block/popover.ts reads aria-label via getAttribute and passes it through decodeURIComponent before assigning to message…
Vulnerability class: XSS (Cross-Site Scripting)
EPSS: 0.000 (10.1th percentile) — read the EPSS interpretation.
Affected products
- Siyuan-note Siyuan — versions < 3.7.0
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM)