CVE-2026-32751 is a stored cross-site scripting vulnerability affecting SiYuan, a personal knowledge management system, in versions prior to 3.6.1. The issue resides in the mobile file tree component (MobileFiles.ts), which renders notebook names via innerHTML without applying HTML escaping when handling renamenotebook WebSocket events. This contrasts with the desktop component (Files.ts), which correctly escapes HTML. An authenticated user capable of renaming notebooks can inject arbitrary HTML or JavaScript code that will execute in the context of any mobile client viewing the file tree. Since SiYuan's Electron desktop app uses the same mobile layout when the window is narrow, the vulnerability also affects desktop users. Critically, Electron is configured with nodeIntegration set to true and contextIsolation set to false, allowing injected scripts to access Node.js APIs directly. This configuration escalates the stored XSS into a full remote code execution vulnerability, enabling attackers to execute arbitrary code on the victim's device. The vulnerability does not require user interaction beyond viewing the file tree and does not require elevated privileges beyond authenticated notebook renaming rights. The issue was addressed in version 3.6.1 by properly escaping HTML in the mobile file tree rendering. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N) reflects network attack vector, low attack complexity, no privileges required beyond authenticated renaming, and partial impact on confidentiality and integrity. No known exploits have been reported in the wild as of the publication date.

This vulnerability poses a significant risk to organizations and individual users employing SiYuan for knowledge management, especially those using the mobile app or the Electron desktop app in narrow window mode. An attacker with authenticated access to rename notebooks can inject malicious scripts that execute with full Node.js privileges due to Electron's insecure configuration. This can lead to complete compromise of the victim's device, including data theft, installation of malware, or lateral movement within a network. The impact extends beyond confidentiality and integrity to full system control, elevating the severity beyond typical XSS attacks. Organizations relying on SiYuan for sensitive information management may face data breaches, operational disruption, and potential compliance violations. The requirement for authenticated access limits exposure but insider threats or compromised accounts can exploit this vulnerability. The lack of user interaction beyond viewing the file tree increases the risk of widespread exploitation within affected environments. Although no exploits are currently known in the wild, the ease of exploitation and severity of impact warrant urgent remediation.

To mitigate this vulnerability, affected users and organizations should upgrade SiYuan to version 3.6.1 or later, where the issue is fixed by proper HTML escaping in the mobile file tree component. Until upgrading is possible, administrators should restrict notebook renaming permissions to trusted users only, minimizing the risk of malicious input. Additionally, consider disabling or restricting the use of the mobile layout in the Electron desktop app to reduce exposure. Electron's configuration should be hardened by disabling nodeIntegration and enabling contextIsolation to prevent JavaScript injection from escalating to remote code execution. Implement network segmentation and monitoring to detect suspicious WebSocket activity related to renamenotebook events. Educate users to avoid opening or interacting with suspicious notebooks and monitor logs for anomalous renaming actions. Regularly audit user permissions and enforce strong authentication to reduce the risk of account compromise. Finally, apply defense-in-depth controls such as endpoint protection and application whitelisting to limit the impact of potential exploitation.