External risk intelligence

SiYuan software lets attackers run any code on your computer

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-44588

SiYuan software has a critical flaw allowing malicious code execution from a crafted document title. This requires user interaction but can compromise your computer.

1Halo Surface Signal

Cross-site Scripting

External exposure likelihood

Halo Surface Signal score for CVE-2026-44588

SiYuan is a desktop-based personal knowledge management application. The vulnerability exists within client-side code triggered by local user interaction, such as hovering a mouse over an interface element on a workstation. The application is not designed as an internet-facing service or remote gateway, making public network reachability not a standard deployment pattern.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in SiYuan, a personal knowledge management system, allows for arbitrary code execution. It occurs when a specially crafted document title is processed, leading to the execution of malicious code on the user's system. This is concerning because it can happen with simple user interaction.

  • Could lead to code execution.
  • Requires user interaction.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this by tricking a user into opening a specially crafted document within the SiYuan application. This document would contain malicious code disguised as a tooltip, which, when triggered by a user action like hovering, would execute arbitrary commands on the victim's machine due to the application's relaxed security settings. This allows for full system compromise.

  • User interaction required.
  • Targets document titles.
  • Requires specific app configuration.

Live Threat

Current exploitation, exposure, and threat context

Attackers are unlikely to weaponize this CVE because SiYuan is a desktop application, not an internet-facing service. The vulnerability requires local user interaction and a specific software configuration, limiting its appeal for widespread exploitation.

  • No KEV listing.
  • Exploits are complex.
  • Indirect attack surface.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize upgrading SiYuan to version 3.7.0 or later to address this critical remote code execution vulnerability. If immediate patching is not feasible, isolate affected instances from the network and restrict user access to prevent exploitation.

  • Update SiYuan to 3.7.0.
  • Isolate affected systems.
  • Monitor for suspicious activity.

Frequently asked questions

What is SiYuan and how is it affected by CVE-2026-44588?

SiYuan is an open-source personal knowledge management system. CVE-2026-44588 is a critical vulnerability within SiYuan that allows for arbitrary code execution due to improper handling of specially crafted document titles in its tooltip mouseover handler. This vulnerability is fixed in version 3.7.0.

How does the tooltip vulnerability in SiYuan (CVE-2026-44588) lead to code execution?

The vulnerability, a cross-site scripting (XSS) flaw (CWE-79), exploits how SiYuan's tooltip handler processes document titles. An attacker crafts a title containing HTML, which bypasses a limited escape function. When this title is displayed in a tooltip, it's interpreted as HTML, and due to specific application configurations (nodeIntegration: true, contextIsolation: false, webSecurity: false), malicious JavaScript can be injected, leading to arbitrary code execution.

What is the trigger path and scope of the SiYuan vulnerability (CVE-2026-44588)?

The trigger path involves a user hovering their mouse over a crafted tooltip in the SiYuan application. A specially crafted document title, containing malicious HTML like an `<img>` tag with an `onerror` attribute, is the input. The scope of the vulnerability is the local machine where SiYuan is running, with the potential for arbitrary code execution, escalating privileges due to the application's relaxed security settings.

How relevant is CVE-2026-44588, and what makes it unlikely for widespread exploitation?

While critical, the relevance for widespread exploitation is low. SiYuan is a desktop application, not an internet-facing service, limiting its reach. Exploitation requires local user interaction and a specific, insecure application configuration, making it complex and less appealing for broad attacks. Halo Surface Signal rates this as 'Very unlikely' to be exploited externally.

What steps should be taken to remediate the SiYuan vulnerability (CVE-2026-44588)?

The primary remediation is to upgrade SiYuan to version 3.7.0 or a later release, which includes the fix for this vulnerability. If immediate patching is impossible, consider isolating affected SiYuan instances from the network and strictly monitoring for any suspicious activity to mitigate the risk of exploitation.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified