CVE-2026-34449: CWE-942: Permissive Cross-domain Policy with Untrusted Domains in siyuan-note siyuan
SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution (RCE) on any desktop running SiYuan by exploiting the permissive CORS policy (Access-Control-Allow-Origin: * + Access-Control-Allow-Private-Network: true) to inject a JavaScript snippet via the API. The injected snippet executes in Electron's Node.js context with full OS access the next time the user opens SiYuan's UI. No user interaction is required beyond visiting the malicious website while SiYuan is running. This issue has been patched in version 3.6.2.
AI Analysis
Technical Summary
CVE-2026-34449 is a critical vulnerability in SiYuan (a personal knowledge management system) versions before 3.6.2. The issue arises from a permissive CORS policy (Access-Control-Allow-Origin: *) combined with Access-Control-Allow-Private-Network: true, which allows untrusted domains to inject JavaScript via the API. This injected code executes in the Electron application's Node.js context, granting full OS-level access. The attack requires only that the user visits a malicious website while SiYuan is running, enabling remote code execution without additional user interaction. The vendor fixed this vulnerability in version 3.6.2.
Potential Impact
Successful exploitation leads to remote code execution on the victim's desktop with full operating system privileges. This can result in complete compromise of the affected system, including confidentiality, integrity, and availability impacts. The vulnerability is critical with a CVSS score of 9.7, indicating high exploitability and severe consequences.
Mitigation Recommendations
Upgrade SiYuan to version 3.6.2 or later, where this vulnerability has been patched. Users running affected versions should apply this update promptly to eliminate the risk. No other mitigations are specified or required once patched.
CVE-2026-34449: CWE-942: Permissive Cross-domain Policy with Untrusted Domains in siyuan-note siyuan
Description
SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution (RCE) on any desktop running SiYuan by exploiting the permissive CORS policy (Access-Control-Allow-Origin: * + Access-Control-Allow-Private-Network: true) to inject a JavaScript snippet via the API. The injected snippet executes in Electron's Node.js context with full OS access the next time the user opens SiYuan's UI. No user interaction is required beyond visiting the malicious website while SiYuan is running. This issue has been patched in version 3.6.2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-34449 is a critical vulnerability in SiYuan (a personal knowledge management system) versions before 3.6.2. The issue arises from a permissive CORS policy (Access-Control-Allow-Origin: *) combined with Access-Control-Allow-Private-Network: true, which allows untrusted domains to inject JavaScript via the API. This injected code executes in the Electron application's Node.js context, granting full OS-level access. The attack requires only that the user visits a malicious website while SiYuan is running, enabling remote code execution without additional user interaction. The vendor fixed this vulnerability in version 3.6.2.
Potential Impact
Successful exploitation leads to remote code execution on the victim's desktop with full operating system privileges. This can result in complete compromise of the affected system, including confidentiality, integrity, and availability impacts. The vulnerability is critical with a CVSS score of 9.7, indicating high exploitability and severe consequences.
Mitigation Recommendations
Upgrade SiYuan to version 3.6.2 or later, where this vulnerability has been patched. Users running affected versions should apply this update promptly to eliminate the risk. No other mitigations are specified or required once patched.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-27T18:18:14.895Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69cc424fe6bfc5ba1d44f4aa
Added to database: 3/31/2026, 9:53:19 PM
Last enriched: 4/8/2026, 2:04:49 AM
Last updated: 5/16/2026, 8:01:18 AM
Views: 183
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.