CVE-2026-34449
Remote Code Execution via CORS in SiYuan Desktop
Publication date: 2026-03-31
Last updated on: 2026-04-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| b3log | siyuan | to 3.6.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-942 | The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects SiYuan, a personal knowledge management system, in versions prior to 3.6.2. A malicious website can exploit a permissive Cross-Origin Resource Sharing (CORS) policy that allows any origin and private network access to inject a JavaScript snippet via the API. This snippet executes in Electron's Node.js context with full operating system access the next time the user opens SiYuan's user interface. The attack requires no user interaction beyond visiting the malicious website while SiYuan is running.
How can this vulnerability impact me? :
The vulnerability allows remote code execution (RCE) on any desktop running the affected SiYuan versions. This means an attacker can execute arbitrary code with full operating system privileges, potentially leading to complete system compromise, data theft, installation of malware, or other malicious activities without the user's knowledge.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update SiYuan to version 3.6.2 or later, where the issue has been patched.
Avoid visiting untrusted or malicious websites while SiYuan is running, as the vulnerability can be exploited simply by visiting a malicious site.