CVE-2026-44588
CriticalSummary
SiYuan is a knowledge management system that prior to version 3.7.0 had an issue with handling the aria-label attribute. Due to improper URL decoding, it was possible to inject malicious HTML code, leading to unauthorized script execution.
Risk Assessment
Organizations using SiYuan may be exposed to XSS attacks, which can lead to data theft or session hijacking. There is a high security risk associated with the application.
Recommendation
It is recommended to update SiYuan to version 3.7.0 or later to mitigate this vulnerability. Additionally, consider enabling context isolation and web security features.
Original NVD description (English source)
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, he tooltip mouseover handler in app/src/block/popover.ts reads aria-label via getAttribute and passes it through decodeURIComponent before assigning to messageElement.innerHTML in app/src/dialog/tooltip.ts:41. The encoder used at the producer side, escapeAriaLabel in app/src/util/escape.ts:19-25, only handles HTML special characters (", ', <, literal <) — it leaves %XX URL-escapes untouched. So a doc title containing %3Cimg src=x onerror=...%3E round-trips through escapeAriaLabel and the HTML attribute layer unmodified. Then decodeURIComponent on the consumer side converts %3C to a literal < character (a real <, NOT a character reference). When that string is assigned to innerHTML, the HTML5 tokenizer enters TagOpenState on the literal <, parses the <img> element, and the onerror handler fires. Because the renderer runs with nodeIntegration: true, contextIsolation: false, webSecurity: false (app/electron

