—

GO-2026-4993

SiYuan: Electron Renderer RCE via decodeURIComponent-driven tooltip XSS in aria-label sink (incomplete fix for CVE-2026-34585) in github.com/siyuan-note/siyuan/kernel

Details

SiYuan: Electron Renderer RCE via decodeURIComponent-driven tooltip XSS in aria-label sink (incomplete fix for CVE-2026-34585) in github.com/siyuan-note/siyuan/kernel

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/siyuan-note/siyuan/kernel

Introduced in: 0

No fixed version published yet for github.com/siyuan-note/siyuan/kernel (go modules). Pin to a known-safe version or switch to an alternative.

References

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-25rp-h46x-2hjm [ADVISORY]
https://nvd.nist.gov/vuln/detail/CVE-2026-44588 [ADVISORY]