Stored Cross-Site Scripting in SiYuan Personal Knowledge Management System
CVE-2026-34448

9.1CRITICAL

Key Information:

Vendor

Siyuan-note

Status
Siyuan
Vendor
CVE Published:
31 March 2026

What is CVE-2026-34448?

A stored XSS vulnerability exists in SiYuan, a personal knowledge management system, prior to version 3.6.2. This vulnerability allows an attacker to insert a harmful URL into an Attribute View mAsse field. When a victim accesses the Gallery or Kanban view with the 'Cover From -> Asset Field' feature enabled, the malicious input is rendered as an image. The unsafe code accepts arbitrary HTTP/HTTPS URLs without adequate validation or restrictions, storing the attacker's input directly. In the Electron desktop client, this leads to JavaScript execution with nodeIntegration on and contextIsolation off, providing the attacker with the capability to execute arbitrary OS commands under the user's account.

Affected Version(s)

siyuan < 3.6.2

References

https://github.com/siyuan-note/siyuan/security/advisories...
x_refsource_CONFIRM
https://github.com/siyuan-note/siyuan/issues/17246
x_refsource_MISC
https://github.com/siyuan-note/siyuan/releases/tag/v3.6.2
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.