Plattform
go
Komponente
github.com/siyuan-note/siyuan/kernel
Behoben in
3.6.3
3.6.2
CVE-2026-34448 describes a critical stored Cross-Site Scripting (XSS) vulnerability within the Siyuan Kernel, the core of the Siyuan note-taking application. An attacker can exploit this flaw to inject malicious JavaScript code, potentially leading to unauthorized access and system compromise. This vulnerability impacts versions of Siyuan Kernel released before 3.6.2 and can be mitigated by upgrading to the patched version.
The vulnerability lies in how Siyuan handles URLs within Attribute View mAsse fields. An attacker can craft a malicious URL and place it in this field. When a victim opens a Gallery or Kanban view with “Cover From -> Asset Field” enabled, Siyuan will fetch and render this URL as an image. Critically, the application fails to properly sanitize the URL, injecting it directly into an <img src="..."> attribute without escaping. In the Electron desktop client, this injected JavaScript executes with nodeIntegration enabled and contextIsolation disabled, granting the attacker the ability to execute arbitrary operating system commands. This represents a significant escalation of privilege, allowing for potential data theft, malware installation, and complete system takeover.
While no public exploits have been widely reported, the vulnerability's CRITICAL severity and the potential for OS command execution suggest a high likelihood of exploitation. The vulnerability was disclosed on 2026-03-31. Given the ease of exploitation and the potential impact, it is likely to be targeted by malicious actors. It is recommended to monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Users of Siyuan who utilize the Gallery or Kanban views with “Cover From -> Asset Field” enabled are at significant risk. This includes users who rely on Siyuan for sensitive note-taking or collaboration, as the vulnerability could lead to data theft or system compromise. Organizations using Siyuan in shared hosting environments are particularly vulnerable, as a compromised account could potentially impact other users on the same server.
• windows / supply-chain:
Get-WinEvent -LogName Application -Filter "EventID=1000 -Message contains 'siyuan'"• linux / server:
journalctl -u siyuan | grep -i 'error' -i 'warning'• wordpress / composer / npm: N/A • database (mysql, redis, mongodb, postgresql): N/A • generic web: N/A
disclosure
Exploit-Status
EPSS
0.05% (15% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-34448 is to immediately upgrade Siyuan Kernel to version 3.6.2 or later. This patched version includes the necessary sanitization to prevent the XSS injection. If upgrading is not immediately feasible, consider temporarily disabling the “Cover From -> Asset Field” feature in Gallery and Kanban views to reduce the attack surface. While not a complete solution, this can limit the potential for exploitation. Monitor Siyuan logs for any unusual activity or attempts to access Attribute View fields with suspicious URLs. After upgrading, confirm the fix by attempting to trigger the vulnerability with a known malicious URL and verifying that it is properly sanitized and does not execute JavaScript.
Aktualisieren Sie SiYuan auf Version 3.6.2 oder höher. Dies behebt die gespeicherte XSS-Schwachstelle, die die Ausführung von Befehlen im Desktop-Client ermöglicht.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34448 is a critical stored XSS vulnerability in the Siyuan Kernel, allowing attackers to inject malicious URLs into Attribute View fields, potentially leading to OS command execution.
You are affected if you are using Siyuan Kernel versions prior to 3.6.2 and have the “Cover From -> Asset Field” feature enabled in Gallery or Kanban views.
Upgrade to Siyuan version 3.6.2 or later to remediate the vulnerability. Temporarily disabling “Cover From -> Asset Field” can reduce the attack surface.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high probability of active exploitation.
Refer to the official Siyuan release notes and security advisories on the Siyuan GitHub repository for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.