{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/siyuan-knowledge-management-system/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9,"id":"CVE-2026-40322"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SiYuan Knowledge Management System"],"_cs_severities":["critical"],"_cs_tags":["siyuan","mermaid","rce","xss","electron"],"_cs_type":"advisory","_cs_vendors":["SiYuan"],"content_html":"\u003cp\u003eSiYuan, an open-source personal knowledge management system, is susceptible to arbitrary code execution in versions 3.6.3 and below. The vulnerability stems from the insecure rendering of Mermaid diagrams, a feature used for creating visual representations. Specifically, the application renders Mermaid diagrams with \u003ccode\u003esecurityLevel\u003c/code\u003e set to \u0026quot;loose\u0026quot;, injecting the resulting SVG directly into the DOM using \u003ccode\u003einnerHTML\u003c/code\u003e. This insecure approach allows attacker-controlled \u003ccode\u003ejavascript:\u003c/code\u003e URLs within Mermaid code blocks to persist in the rendered output. On desktop builds leveraging Electron, the application creates windows with \u003ccode\u003enodeIntegration\u003c/code\u003e enabled and \u003ccode\u003econtextIsolation\u003c/code\u003e disabled. Consequently, when a user opens a note containing a malicious Mermaid block and interacts with the rendered diagram, the stored cross-site scripting (XSS) vulnerability escalates to arbitrary code execution. Users are advised to upgrade to version 3.6.4, which addresses this security flaw.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious SiYuan note containing a Mermaid diagram.\u003c/li\u003e\n\u003cli\u003eThe Mermaid diagram includes a code block with a \u003ccode\u003ejavascript:\u003c/code\u003e URL. Example: \u003ccode\u003emermaid graph LR; A[Click me] --\u0026gt; B((Malicious Node)); click A \u0026quot;javascript:require('child_process').exec('calc.exe');\u0026quot; \u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eThe attacker saves the malicious note within SiYuan.\u003c/li\u003e\n\u003cli\u003eThe victim opens the malicious note in the SiYuan desktop application (version 3.6.3 or earlier).\u003c/li\u003e\n\u003cli\u003eSiYuan renders the Mermaid diagram with \u003ccode\u003esecurityLevel\u003c/code\u003e set to \u0026quot;loose\u0026quot;, injecting the SVG into the DOM via \u003ccode\u003einnerHTML\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003ejavascript:\u003c/code\u003e URL is embedded within the rendered SVG.\u003c/li\u003e\n\u003cli\u003eThe victim clicks on the rendered diagram node.\u003c/li\u003e\n\u003cli\u003eDue to \u003ccode\u003enodeIntegration\u003c/code\u003e being enabled and \u003ccode\u003econtextIsolation\u003c/code\u003e being disabled in the Electron environment, the \u003ccode\u003ejavascript:\u003c/code\u003e URL executes arbitrary code, effectively achieving remote code execution on the victim's machine.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to execute arbitrary code on a victim's machine. This can lead to complete system compromise, including data theft, malware installation, and unauthorized access to sensitive information stored within the SiYuan knowledge base or elsewhere on the system. Given that SiYuan is often used to store personal and professional notes, the impact could be substantial for affected users. The vulnerability affects any user running SiYuan version 3.6.3 or earlier on a desktop system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade SiYuan to version 3.6.4 or later to patch the vulnerability (CVE-2026-40322).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Suspicious SiYuan Mermaid Diagram Execution\u0026quot; to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unexpected child processes spawned from SiYuan, especially those related to command execution (e.g., \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately possible, consider disabling the Mermaid diagram rendering feature within SiYuan as a temporary workaround.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-siyuan-rce/","summary":"SiYuan versions 3.6.3 and below are vulnerable to arbitrary code execution due to insecure rendering of Mermaid diagrams, allowing injected javascript: URLs within Mermaid code blocks to execute arbitrary code when a victim opens a note containing a malicious Mermaid block and clicks the rendered diagram node.","title":"SiYuan Knowledge Management System RCE via Mermaid Diagram Injection","url":"https://feed.craftedsignal.io/briefs/2024-01-siyuan-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - SiYuan Knowledge Management System","version":"https://jsonfeed.org/version/1.1"}