CVE-2026-34585
Received Received - Intake
Stored XSS in SiYuan Desktop Client Enables Remote Code Execution

Publication date: 2026-03-31

Last updated on: 2026-04-03

Assigner: GitHub, Inc.

Description
SiYuan is a personal knowledge management system. Prior to version 3.6.2, a vulnerability allows crafted block attribute values to bypass server-side attribute escaping when an HTML entity is mixed with raw special characters. An attacker can embed a malicious IAL value inside a .sy document, package it as a .sy.zip, and have the victim import it through the normal Import -> SiYuan .sy.zip workflow. Once the note is opened, the malicious attribute breaks out of its original HTML context and injects an event handler, resulting in stored XSS. In the Electron desktop client, this XSS reaches remote code execution because injected JavaScript runs with access to Node/Electron APIs. This issue has been patched in version 3.6.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-03
Generated
2026-06-22
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-21
NVD
CVE-2026-34585
EUVD
EUVD-2026-17685
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
b3log siyuan to 3.6.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

CVE-2026-34585 is a high-severity vulnerability that allows remote code execution via stored cross-site scripting in SiYuan Desktop versions prior to 3.6.2. This vulnerability can lead to unauthorized access and control over the affected system.

Such unauthorized access and potential data compromise could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Specifically, the vulnerability's ability to execute arbitrary commands on the victim's machine could lead to data exposure, modification, or loss, violating confidentiality, integrity, and availability requirements mandated by these regulations.

Detection Guidance

This vulnerability involves importing malicious .sy.zip files containing crafted .sy documents with specially crafted block attribute values that bypass server-side escaping, leading to stored XSS and potential remote code execution in SiYuan Desktop versions prior to 3.6.2.

Detection on your system involves verifying the version of SiYuan Desktop installed and monitoring for the import of suspicious .sy.zip files that may contain malicious attributes.

Since the attack vector requires importing a malicious .sy.zip file and opening the note, you can detect attempts by:

  • Checking the SiYuan Desktop version to ensure it is 3.6.2 or later, which contains the patch.
  • Monitoring file imports for .sy.zip files from untrusted sources.
  • Inspecting .sy documents inside .sy.zip files for suspicious block attribute values mixing HTML entities and raw special characters, such as patterns like `&" onmouseenter=`.

There are no specific network commands or signatures provided in the resources for automated detection. However, you can manually inspect imported .sy.zip files by unzipping and searching for suspicious attribute patterns using commands like:

  • On a Unix-like system, unzip the archive: `unzip suspicious.sy.zip -d extracted`
  • Search for suspicious attributes in .sy files: `grep -r '&" onmouseenter=' extracted/`
  • Check the SiYuan Desktop version via its About dialog or application metadata to confirm it is patched (version 3.6.2 or later).

Because the vulnerability requires user interaction (importing and opening the malicious note), network detection is limited. Focus on endpoint protection by restricting imports from untrusted sources and updating the software.

Executive Summary

This vulnerability exists in SiYuan, a personal knowledge management system, prior to version 3.6.2. It allows crafted block attribute values to bypass server-side attribute escaping when an HTML entity is mixed with raw special characters. An attacker can embed a malicious IAL value inside a .sy document, package it as a .sy.zip file, and trick a victim into importing it through the normal Import -> SiYuan .sy.zip workflow. When the victim opens the note, the malicious attribute escapes its original HTML context and injects an event handler, resulting in stored cross-site scripting (XSS).

In the Electron desktop client, this XSS vulnerability escalates to remote code execution because the injected JavaScript runs with access to Node/Electron APIs. This means the attacker can execute arbitrary code on the victim's machine.

This issue has been fixed in version 3.6.2 of SiYuan.

Impact Analysis

This vulnerability can have severe impacts including the execution of arbitrary code on your machine if you use the vulnerable SiYuan Electron desktop client. An attacker can craft malicious .sy.zip files that, when imported and opened, execute JavaScript with full access to Node/Electron APIs.

The impacts include complete compromise of confidentiality, integrity, and availability of your data and system, as indicated by the CVSS score which rates confidentiality, integrity, and availability impacts as high.

Because the attack requires user interaction (importing and opening a malicious file), the attack vector is local, but the consequences can be severe.

Mitigation Strategies

The vulnerability has been patched in SiYuan version 3.6.2.

To mitigate this vulnerability, immediately upgrade your SiYuan personal knowledge management system to version 3.6.2 or later.

Avoid importing .sy.zip files from untrusted sources, as the vulnerability is exploited through maliciously crafted .sy.zip imports.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34585. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart