A vulnerability was found in siyuan-note SiYuan up to 3.7.0. It has been declared as critical. The impacted element is the function Asset.render of the file app/src/asset/index.ts of the component Asset. Executing a manipulation of the argument path can lead to os command injection.

This vulnerability is tracked as CVE-2026-59855. The attack can be launched remotely. No exploit exists.