SiYuan is a personal knowledge management system. Prior to 3.6.4, SiYuan configures Mermaid.js with securityLevel: “loose” and htmlLabels: true. In this mode, tags with src attributes survive Mermaid’s internal DOMPurify and land in SVG blocks. The SVG is injected via innerHTML with no secondary sanitization. When a victim opens a note containing a malicious Mermaid diagram, the Electron client fetches the URL. On Windows, a protocol-relative URL (//attacker.com/image.png) resolves as a UNC path (\attacker.comimage.png). Windows attempts SMB authentication automatically, sending the victim’s NTLMv2 hash to the attacker. This vulnerability is fixed in 3.6.4.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
