CVE-2026-34449
Received Received - Intake
Remote Code Execution via CORS in SiYuan Desktop

Publication date: 2026-03-31

Last updated on: 2026-04-03

Assigner: GitHub, Inc.

Description
SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution (RCE) on any desktop running SiYuan by exploiting the permissive CORS policy (Access-Control-Allow-Origin: * + Access-Control-Allow-Private-Network: true) to inject a JavaScript snippet via the API. The injected snippet executes in Electron's Node.js context with full OS access the next time the user opens SiYuan's UI. No user interaction is required beyond visiting the malicious website while SiYuan is running. This issue has been patched in version 3.6.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-03
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-14
NVD
CVE-2026-34449
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
b3log siyuan to 3.6.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-942 The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects SiYuan, a personal knowledge management system, in versions prior to 3.6.2. A malicious website can exploit a permissive Cross-Origin Resource Sharing (CORS) policy that allows any origin and private network access to inject a JavaScript snippet via the API. This snippet executes in Electron's Node.js context with full operating system access the next time the user opens SiYuan's user interface. The attack requires no user interaction beyond visiting the malicious website while SiYuan is running.

Impact Analysis

The vulnerability allows remote code execution (RCE) on any desktop running the affected SiYuan versions. This means an attacker can execute arbitrary code with full operating system privileges, potentially leading to complete system compromise, data theft, installation of malware, or other malicious activities without the user's knowledge.

Mitigation Strategies

To mitigate this vulnerability, immediately update SiYuan to version 3.6.2 or later, where the issue has been patched.

Avoid visiting untrusted or malicious websites while SiYuan is running, as the vulnerability can be exploited simply by visiting a malicious site.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34449. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart