CVE-2026-32751 is a stored cross-site scripting vulnerability affecting SiYuan, a personal knowledge management system, in versions prior to 3.6.1. The vulnerability exists in the mobile file tree component (MobileFiles.ts), which processes renamenotebook WebSocket events by rendering notebook names directly via innerHTML without applying HTML escaping. This contrasts with the desktop component (Files.ts), which correctly escapes HTML. An authenticated user with rename privileges can inject arbitrary HTML or JavaScript code into notebook names. When other users view the file tree on mobile clients, or on desktop clients using the mobile layout (narrow window), the injected script executes. Because SiYuan is built on Electron with nodeIntegration set to true and contextIsolation set to false, the injected JavaScript gains full Node.js API access, allowing escalation from stored XSS to remote code execution (RCE). This means an attacker can execute arbitrary code on the victim's device, potentially compromising confidentiality, integrity, and availability of the system. The vulnerability requires authentication and user interaction (viewing the file tree). The issue was patched in version 3.6.1 by properly escaping HTML input in the mobile file tree component. No public exploits have been reported so far.

The impact of CVE-2026-32751 is significant for organizations using SiYuan versions below 3.6.1, especially those with multiple users who have notebook rename privileges. An attacker with authenticated access can inject malicious scripts that execute on other users' devices, leading to remote code execution due to Electron's insecure configuration. This can result in full system compromise of the client device, data theft, unauthorized actions, and potential lateral movement within the organization's network. Because the vulnerability affects both mobile clients and desktop clients running the mobile layout, a wide range of endpoints are at risk. The requirement for authentication limits exposure to internal or trusted users, but insider threats or compromised accounts could exploit this. The absence of known exploits in the wild reduces immediate risk but does not eliminate it. Organizations relying on SiYuan for sensitive knowledge management should consider this a medium risk with potential for severe consequences if exploited.

To mitigate CVE-2026-32751, organizations should immediately upgrade all SiYuan installations to version 3.6.1 or later, where the vulnerability is patched by proper HTML escaping in the mobile file tree component. Additionally, restrict notebook rename privileges to trusted users only, minimizing the number of accounts capable of injecting malicious content. Review and harden Electron application configurations by disabling nodeIntegration and enabling contextIsolation to reduce the impact of any future XSS vulnerabilities. Implement network segmentation and endpoint protection to detect and prevent exploitation attempts. Monitor WebSocket traffic and application logs for suspicious renamenotebook events or unexpected HTML content. Educate users about the risks of interacting with untrusted notebook names and encourage reporting of unusual behavior. Finally, consider deploying runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect exploitation attempts in real time.