CVE-2026-41421: SiYuan Desktop RCE via HTML Notification Abuse

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycode-executioncwe-78cwe-79
CVE-2026-41421: SiYuan Desktop RCE via HTML Notification Abuse

The National Vulnerability Database has detailed CVE-2026-41421, a high-severity vulnerability (CVSS 8.8) affecting SiYuan, an open-source personal knowledge management system. Prior to version 3.6.5, SiYuan’s desktop application was susceptible to remote code execution due to improper handling of notification messages. The application rendered notification content as raw HTML within an Electron renderer.

Attackers could exploit this by sending a crafted msg value to the /api/notification/pushMsg endpoint. Because desktop builds of SiYuan’s Electron windows were configured with nodeIntegration: true, contextIsolation: false, and webSecurity: false, JavaScript embedded in these notifications could directly access Node.js APIs. This configuration allowed for a straightforward escalation from cross-site scripting (XSS) to full desktop code execution, bypassing typical browser security models.

This vulnerability is a critical reminder of the dangers of misconfigured Electron applications. The nodeIntegration: true setting essentially turns an XSS into a local code execution primitive. Defenders need to understand that the security context of Electron apps is fundamentally different from a standard web browser, especially when Node.js integration is enabled. The fix is available in SiYuan version 3.6.5.

What This Means For You

  • If your organization or individual users rely on SiYuan for knowledge management, this is a critical patch. Immediately upgrade all SiYuan desktop installations to version 3.6.5 or later to mitigate CVE-2026-41421. Failing to do so leaves users vulnerable to remote code execution, which can lead to complete system compromise if an attacker can push a malicious notification.

Related ATT&CK Techniques

T1566.002 Phishing: Spearphishing Attachment Initial Access T1204.002 Malicious File: User Execution Initial Access T1059.001 Command and Scripting Interpreter: PowerShell Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1059.001 Execution

CVE-2026-41421: SiYuan Desktop RCE via HTML Notification Abuse

Sigma YAML — free preview 
title: CVE-2026-41421: SiYuan Desktop RCE via HTML Notification Abuse
id: scw-2026-04-24-ai-1
status: experimental
level: critical
description: |
  Detects the execution of SiYuan.exe with specific Electron configurations that enable RCE via HTML notification abuse, as described in CVE-2026-41421. This rule targets the core vulnerability where raw HTML is rendered with elevated privileges.
author: SCW Feed Engine (AI-generated)
date: 2026-04-24
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-41421/
tags:
  - attack.execution
  - attack.t1059.001
logsource:
    category: process_creation
detection:
  selection:
      Image|endswith:
          - 'SiYuan.exe'
      CommandLine|contains:
          - 'nodeIntegration: true'
          - 'contextIsolation: false'
          - 'webSecurity: false'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-41421 RCE SiYuan desktop < 3.6.5
CVE-2026-41421 XSS SiYuan desktop < 3.6.5
CVE-2026-41421 Code Injection POST /api/notification/pushMsg with user-controlled 'msg' value
CVE-2026-41421 Misconfiguration Electron windows with nodeIntegration: true, contextIsolation: false, webSecurity: false in main.js

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 24, 2026 at 22:17 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Featured

Daily Security Digest — 2026-04-24

12 vulnerability disclosures (3 Critical, 9 High) and 3 curated intelligence stories from 2 sources.

daily-digestvulnerabilityCVEhigh-severitycwe-1321cwe-113cwe-183cwe-441cwe-918critical
/SCW Daily Digest /CRITICAL

Dgraph CVE-2026-41492: Unauthenticated Admin Token Exposure Via /debug/vars

CVE-2026-41492 — Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoint on...

vulnerabilityCVEcriticalhigh-severitycwe-200
/SCW Vulnerability Desk /CRITICAL /9.8 /⚑ 3 IOCs /⚙ 3 Sigma

4ga Boards Path Traversal Vulnerability Exposes Local Files (CVE-2026-41419)

CVE-2026-41419 — 4ga Boards is a boards system for realtime project management. Prior to 3.3.5, a path traversal vulnerability allows an authenticated user with board...

vulnerabilityCVEhigh-severitypath-traversalcwe-22
/SCW Vulnerability Desk /HIGH /7.6 /⚑ 3 IOCs /⚙ 3 Sigma