CVE-2026-41421 HIGH

CVE-2026-41421: SiYuan Desktop Notification XSS Leads to Electron RCE

Vendor Siyuan-Note

Product siyuan

Weakness CWE-78

Published April 24, 2026

Last update April 25, 2026

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Local

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, SiYuan desktop renders notification messages as raw HTML inside an Electron renderer. The notification route POST /api/notification/pushMsg accepts a user-controlled msg value, forwards it through the backend broadcast layer, and the frontend inserts it into the DOM with insertAdjacentHTML(...) at message.ts. On desktop builds, this is not limited to ordinary XSS. Electron windows are created with nodeIntegration: true, contextIsolation: false, and webSecurity: false at main.js. As a result, JavaScript executed from the notification sink can directly access Node APIs and escalate to desktop code execution. This vulnerability is fixed in 3.6.5.

Key dates

02Disclosure timeline

April 24, 2026 CVE published

April 25, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-41421 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

CVE-2026-41421: SiYuan Desktop Notification XSS Leads to Electron RCE

01Description

02Disclosure timeline

03References

04Related CVE