CVE-2026-34448
Received Received - Intake
Stored XSS in SiYuan Electron Client Enables OS Command Execution

Publication date: 2026-03-31

Last updated on: 2026-04-03

Assigner: GitHub, Inc.

Description
SiYuan is a personal knowledge management system. Prior to version 3.6.2, an attacker who can place a malicious URL in an Attribute View mAsse field can trigger stored XSS when a victim opens the Gallery or Kanban view with β€œCover From -> Asset Field” enabled. The vulnerable code accepts arbitrary http(s) URLs without extensions as images, stores the attacker-controlled string in coverURL, and injects it directly into an <img src="..."> attribute without escaping. In the Electron desktop client, the injected JavaScript executes with nodeIntegration enabled and contextIsolation disabled, so the XSS reaches arbitrary OS command execution under the victim’s account. This issue has been patched in version 3.6.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-03
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34448
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
b3log siyuan to 3.6.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in SiYuan, a personal knowledge management system, prior to version 3.6.2. An attacker can place a malicious URL in an Attribute View mAsse field, which triggers a stored Cross-Site Scripting (XSS) attack when a victim opens the Gallery or Kanban view with the β€œCover From -> Asset Field” option enabled.

The vulnerable code accepts arbitrary http(s) URLs without extensions as images and stores the attacker-controlled string in the coverURL variable. This string is then injected directly into an <img src="..."> attribute without proper escaping.

In the Electron desktop client, the injected JavaScript executes with nodeIntegration enabled and contextIsolation disabled, allowing the XSS to escalate to arbitrary operating system command execution under the victim’s user account.

This vulnerability has been fixed in version 3.6.2 of SiYuan.

Impact Analysis

This vulnerability can have severe impacts including:

  • Execution of arbitrary JavaScript code within the Electron desktop client.
  • Escalation to arbitrary operating system command execution under the victim’s user account.
  • Potential compromise of the victim’s system, data theft, or further malware installation.
  • Because the attack requires the victim to open a specific view with a malicious URL, social engineering or targeted attacks may be involved.
Mitigation Strategies

The vulnerability has been patched in SiYuan version 3.6.2. To mitigate this vulnerability, you should immediately upgrade your SiYuan personal knowledge management system to version 3.6.2 or later.

Additionally, avoid enabling the β€œCover From -> Asset Field” feature if you cannot upgrade immediately, as this feature is involved in triggering the stored XSS.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34448. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart