CVE-2026-34585
HIGHSiYuan: Stored XSS in imported .sy.zip content leads to arbitrary command execution
Title source: cnaDescription
SiYuan is a personal knowledge management system. Prior to version 3.6.2, a vulnerability allows crafted block attribute values to bypass server-side attribute escaping when an HTML entity is mixed with raw special characters. An attacker can embed a malicious IAL value inside a .sy document, package it as a .sy.zip, and have the victim import it through the normal Import -> SiYuan .sy.zip workflow. Once the note is opened, the malicious attribute breaks out of its original HTML context and injects an event handler, resulting in stored XSS. In the Electron desktop client, this XSS reaches remote code execution because injected JavaScript runs with access to Node/Electron APIs. This issue has been patched in version 3.6.2.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-ff66-236v-p4fg
X_Refsource_Misc x_refsource_misc
https://github.com/siyuan-note/siyuan/issues/17246
X_Refsource_Misc x_refsource_misc
https://github.com/siyuan-note/siyuan/releases/tag/v3.6.2
Scores
CVSS v3
8.6
EPSS
0.0034
EPSS Percentile
25.9%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-79
CWE-94
Status
published
Products (3)
b3log/siyuan
< 3.6.2
siyuan-note/siyuan
0 - 0.0.0-20260329142331-918d1bd9f967Go
siyuan-note/siyuan
< 3.6.2
Published
Mar 31, 2026
Tracked Since
Apr 01, 2026