CVE-2026-34448
Stored XSS in SiYuan Electron Client Enables OS Command Execution
Publication date: 2026-03-31
Last updated on: 2026-04-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| b3log | siyuan | to 3.6.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in SiYuan, a personal knowledge management system, prior to version 3.6.2. An attacker can place a malicious URL in an Attribute View mAsse field, which triggers a stored Cross-Site Scripting (XSS) attack when a victim opens the Gallery or Kanban view with the βCover From -> Asset Fieldβ option enabled.
The vulnerable code accepts arbitrary http(s) URLs without extensions as images and stores the attacker-controlled string in the coverURL variable. This string is then injected directly into an <img src="..."> attribute without proper escaping.
In the Electron desktop client, the injected JavaScript executes with nodeIntegration enabled and contextIsolation disabled, allowing the XSS to escalate to arbitrary operating system command execution under the victimβs user account.
This vulnerability has been fixed in version 3.6.2 of SiYuan.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including:
- Execution of arbitrary JavaScript code within the Electron desktop client.
- Escalation to arbitrary operating system command execution under the victimβs user account.
- Potential compromise of the victimβs system, data theft, or further malware installation.
- Because the attack requires the victim to open a specific view with a malicious URL, social engineering or targeted attacks may be involved.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been patched in SiYuan version 3.6.2. To mitigate this vulnerability, you should immediately upgrade your SiYuan personal knowledge management system to version 3.6.2 or later.
Additionally, avoid enabling the βCover From -> Asset Fieldβ feature if you cannot upgrade immediately, as this feature is involved in triggering the stored XSS.