XSS Vulnerability in SiYuan Personal Knowledge Management System
CVE-2026-34585

8.6HIGH

Key Information:

Vendor

Siyuan-note

Status
Siyuan
Vendor
CVE Published:
31 March 2026

What is CVE-2026-34585?

The SiYuan Personal Knowledge Management System contains a vulnerability that enables an attacker to exploit crafted block attribute values. Prior to the release of version 3.6.2, the system failed to adequately escape server-side attributes when HTML entities were mixed with raw special characters. This allows malicious users to embed harmful IAL values within .sy documents, which can then be packaged into a .sy.zip file. If a victim imports this file through the standard import process, opening the note can lead to an XSS attack. In the case of the Electron desktop client, this vulnerability can escalate to remote code execution, as the injected JavaScript gains access to Node/Electron APIs. This serious issue has been addressed in version 3.6.2.

Affected Version(s)

siyuan < 3.6.2

References

https://github.com/siyuan-note/siyuan/security/advisories...
x_refsource_CONFIRM
https://github.com/siyuan-note/siyuan/issues/17246
x_refsource_MISC
https://github.com/siyuan-note/siyuan/releases/tag/v3.6.2
x_refsource_MISC

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.