CVE-2026-32751
Received Received - Intake
Stored XSS in SiYuan MobileFiles Enables Remote Code Execution

Publication date: 2026-03-19

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the mobile file tree (MobileFiles.ts) renders notebook names via innerHTML without HTML escaping when processing renamenotebook WebSocket events. The desktop version (Files.ts) properly uses escapeHtml() for the same operation. An authenticated user who can rename notebooks can inject arbitrary HTML/JavaScript that executes on any mobile client viewing the file tree. Since Electron is configured with nodeIntegration: true and contextIsolation: false, the injected JavaScript has full Node.js access, escalating stored XSS to full remote code execution. The mobile layout is also used in the Electron desktop app when the window is narrow, making this exploitable on desktop as well. This issue has been fixed in version 3.6.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32751
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
b3log siyuan to 3.6.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in SiYuan, a personal knowledge management system, in versions 3.6.0 and below. The issue is in the mobile file tree component, which renders notebook names using innerHTML without escaping HTML characters when processing renamenotebook WebSocket events. This allows an authenticated user who can rename notebooks to inject arbitrary HTML or JavaScript code.

Because the Electron framework used by the application is configured with nodeIntegration enabled and contextIsolation disabled, the injected JavaScript can execute with full Node.js privileges. This escalates the stored cross-site scripting (XSS) vulnerability to full remote code execution on any mobile client viewing the file tree. Additionally, the mobile layout is also used in the desktop app when the window is narrow, making the vulnerability exploitable on desktop as well.

This vulnerability was fixed in version 3.6.1.

Impact Analysis

The vulnerability allows an authenticated user with permission to rename notebooks to inject malicious HTML or JavaScript code that executes on mobile clients and desktop clients using the mobile layout.

Because the injected code runs with full Node.js access due to Electron's configuration, an attacker can execute arbitrary code remotely on affected devices. This can lead to full system compromise, data theft, unauthorized actions, or further malware installation.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability is fixed in SiYuan version 3.6.1. Immediate mitigation involves upgrading the SiYuan application to version 3.6.1 or later.

Since the issue arises from improper HTML escaping in the mobile file tree when processing renamenotebook WebSocket events, restricting or monitoring authenticated users' ability to rename notebooks can reduce risk until the upgrade is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32751. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart