CVE-2026-34449
Received Received - Intake

Remote Code Execution via CORS in SiYuan Desktop

Vulnerability report for CVE-2026-34449, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-31

Last updated on: 2026-04-03

Assigner: GitHub, Inc.

Description

SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution (RCE) on any desktop running SiYuan by exploiting the permissive CORS policy (Access-Control-Allow-Origin: * + Access-Control-Allow-Private-Network: true) to inject a JavaScript snippet via the API. The injected snippet executes in Electron's Node.js context with full OS access the next time the user opens SiYuan's UI. No user interaction is required beyond visiting the malicious website while SiYuan is running. This issue has been patched in version 3.6.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-31
Last Modified
2026-04-03
Generated
2026-07-06
AI Q&A
2026-04-01
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
b3log siyuan to 3.6.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-942 The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects SiYuan, a personal knowledge management system, in versions prior to 3.6.2. A malicious website can exploit a permissive Cross-Origin Resource Sharing (CORS) policy that allows any origin and private network access to inject a JavaScript snippet via the API. This snippet executes in Electron's Node.js context with full operating system access the next time the user opens SiYuan's user interface. The attack requires no user interaction beyond visiting the malicious website while SiYuan is running.

Impact Analysis

The vulnerability allows remote code execution (RCE) on any desktop running the affected SiYuan versions. This means an attacker can execute arbitrary code with full operating system privileges, potentially leading to complete system compromise, data theft, installation of malware, or other malicious activities without the user's knowledge.

Mitigation Strategies

To mitigate this vulnerability, immediately update SiYuan to version 3.6.2 or later, where the issue has been patched.

Avoid visiting untrusted or malicious websites while SiYuan is running, as the vulnerability can be exploited simply by visiting a malicious site.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34449. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart