CVE-2026-32751
Received Received - Intake
Stored XSS in SiYuan MobileFiles Enables Remote Code Execution

Publication date: 2026-03-19

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the mobile file tree (MobileFiles.ts) renders notebook names via innerHTML without HTML escaping when processing renamenotebook WebSocket events. The desktop version (Files.ts) properly uses escapeHtml() for the same operation. An authenticated user who can rename notebooks can inject arbitrary HTML/JavaScript that executes on any mobile client viewing the file tree. Since Electron is configured with nodeIntegration: true and contextIsolation: false, the injected JavaScript has full Node.js access, escalating stored XSS to full remote code execution. The mobile layout is also used in the Electron desktop app when the window is narrow, making this exploitable on desktop as well. This issue has been fixed in version 3.6.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-23
Generated
2026-05-07
AI Q&A
2026-03-20
EPSS Evaluated
2026-05-05
NVD
CVE-2026-32751
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
b3log siyuan to 3.6.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in SiYuan, a personal knowledge management system, in versions 3.6.0 and below. The issue is in the mobile file tree component, which renders notebook names using innerHTML without escaping HTML characters when processing renamenotebook WebSocket events. This allows an authenticated user who can rename notebooks to inject arbitrary HTML or JavaScript code.

Because the Electron framework used by the application is configured with nodeIntegration enabled and contextIsolation disabled, the injected JavaScript can execute with full Node.js privileges. This escalates the stored cross-site scripting (XSS) vulnerability to full remote code execution on any mobile client viewing the file tree. Additionally, the mobile layout is also used in the desktop app when the window is narrow, making the vulnerability exploitable on desktop as well.

This vulnerability was fixed in version 3.6.1.


How can this vulnerability impact me? :

The vulnerability allows an authenticated user with permission to rename notebooks to inject malicious HTML or JavaScript code that executes on mobile clients and desktop clients using the mobile layout.

Because the injected code runs with full Node.js access due to Electron's configuration, an attacker can execute arbitrary code remotely on affected devices. This can lead to full system compromise, data theft, unauthorized actions, or further malware installation.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed in SiYuan version 3.6.1. Immediate mitigation involves upgrading the SiYuan application to version 3.6.1 or later.

Since the issue arises from improper HTML escaping in the mobile file tree when processing renamenotebook WebSocket events, restricting or monitoring authenticated users' ability to rename notebooks can reduce risk until the upgrade is applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart