CVE-2026-34449
CRITICALSiYuan: Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection
Title source: cnaDescription
SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution (RCE) on any desktop running SiYuan by exploiting the permissive CORS policy (Access-Control-Allow-Origin: * + Access-Control-Allow-Private-Network: true) to inject a JavaScript snippet via the API. The injected snippet executes in Electron's Node.js context with full OS access the next time the user opens SiYuan's UI. No user interaction is required beyond visiting the malicious website while SiYuan is running. This issue has been patched in version 3.6.2.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-68p4-j234-43mv
X_Refsource_Misc x_refsource_misc
https://github.com/siyuan-note/siyuan/issues/17246
X_Refsource_Misc x_refsource_misc
https://github.com/siyuan-note/siyuan/releases/tag/v3.6.2
Scores
CVSS v3
9.6
EPSS
0.0050
EPSS Percentile
38.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-942
Status
published
Products (3)
b3log/siyuan
< 3.6.2
siyuan-note/siyuan
0 - 3.6.2Go
siyuan-note/siyuan
< 3.6.2
Published
Mar 31, 2026
Tracked Since
Apr 01, 2026