CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-59855

unknowncovered by 1 sourcefirst seen 2026-07-09
SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, Asset.render in app/src/asset/index.ts interpolates the unsanitized this.path value into HTML assigned to innerHTML, allowing a crafted asset link containing a double quote to break out of the src attribute, inject an event handler, and execute JavaScript that can run OS commands in the Electron renderer. This issue is fixed in versions 3.7.1-alpha.2 and 3.7.1.

⚡ Watch CVE-2026-59855

Get an email if CVE-2026-59855 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-59855

CVE.org record

Embed the live status

CVE-2026-59855 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-59855 status](https://www.csirts.com/badge/CVE-2026-59855)](https://www.csirts.com/cve/CVE-2026-59855)