CVE-2026-34585: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in siyuan-note siyuan
SiYuan is a personal knowledge management system. Prior to version 3.6.2, a vulnerability allows crafted block attribute values to bypass server-side attribute escaping when an HTML entity is mixed with raw special characters. An attacker can embed a malicious IAL value inside a .sy document, package it as a .sy.zip, and have the victim import it through the normal Import -> SiYuan .sy.zip workflow. Once the note is opened, the malicious attribute breaks out of its original HTML context and injects an event handler, resulting in stored XSS. In the Electron desktop client, this XSS reaches remote code execution because injected JavaScript runs with access to Node/Electron APIs. This issue has been patched in version 3.6.2.
AI Analysis
Technical Summary
SiYuan versions before 3.6.2 contain a stored XSS vulnerability due to improper neutralization of input during web page generation. Specifically, crafted block attribute values mixing HTML entities with raw special characters bypass server-side escaping. An attacker can embed malicious IAL values inside a .sy document, package it as a .sy.zip archive, and deliver it via the normal import workflow. Upon opening the note, the malicious attribute breaks out of its HTML context, injecting an event handler that executes JavaScript. In the Electron desktop client, this leads to remote code execution because the injected script has access to Node/Electron APIs. The issue is tracked as CVE-2026-34585 and has a CVSS 3.1 score of 8.6 (high severity).
Potential Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript code within the context of the SiYuan desktop client, which runs on Electron. This can lead to remote code execution with access to Node/Electron APIs, potentially compromising the victim's system confidentiality, integrity, and availability. The vulnerability arises from stored XSS via maliciously crafted imported notes.
Mitigation Recommendations
This vulnerability is fixed in SiYuan version 3.6.2. Users should upgrade to version 3.6.2 or later to remediate this issue. No additional mitigation steps are required if the update is applied.
CVE-2026-34585: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in siyuan-note siyuan
Description
SiYuan is a personal knowledge management system. Prior to version 3.6.2, a vulnerability allows crafted block attribute values to bypass server-side attribute escaping when an HTML entity is mixed with raw special characters. An attacker can embed a malicious IAL value inside a .sy document, package it as a .sy.zip, and have the victim import it through the normal Import -> SiYuan .sy.zip workflow. Once the note is opened, the malicious attribute breaks out of its original HTML context and injects an event handler, resulting in stored XSS. In the Electron desktop client, this XSS reaches remote code execution because injected JavaScript runs with access to Node/Electron APIs. This issue has been patched in version 3.6.2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
SiYuan versions before 3.6.2 contain a stored XSS vulnerability due to improper neutralization of input during web page generation. Specifically, crafted block attribute values mixing HTML entities with raw special characters bypass server-side escaping. An attacker can embed malicious IAL values inside a .sy document, package it as a .sy.zip archive, and deliver it via the normal import workflow. Upon opening the note, the malicious attribute breaks out of its HTML context, injecting an event handler that executes JavaScript. In the Electron desktop client, this leads to remote code execution because the injected script has access to Node/Electron APIs. The issue is tracked as CVE-2026-34585 and has a CVSS 3.1 score of 8.6 (high severity).
Potential Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript code within the context of the SiYuan desktop client, which runs on Electron. This can lead to remote code execution with access to Node/Electron APIs, potentially compromising the victim's system confidentiality, integrity, and availability. The vulnerability arises from stored XSS via maliciously crafted imported notes.
Mitigation Recommendations
This vulnerability is fixed in SiYuan version 3.6.2. Users should upgrade to version 3.6.2 or later to remediate this issue. No additional mitigation steps are required if the update is applied.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T16:56:30.999Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69cc424fe6bfc5ba1d44f4c3
Added to database: 3/31/2026, 9:53:19 PM
Last enriched: 4/8/2026, 4:14:34 AM
Last updated: 5/16/2026, 2:41:10 AM
Views: 67
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.