SiYuan Desktop: Stored XSS in imported .sy.zip content leads to arbitrary command execution

An attacker can exploit this vulnerability by crafting a malicious SiYuan document (.sy) containing specially crafted block attribute values. These values, when imported via the standard Import -> SiYuan .sy.zip workflow, bypass server-side attribute escaping. The malicious attribute then breaks out of its original HTML context and injects an event handler. Crucially, within the Electron desktop client, this injected JavaScript code executes with the privileges of the user running the application, enabling remote code execution. This allows an attacker to potentially steal sensitive data, modify application behavior, or even gain control of the user's system. The impact is particularly severe due to the potential for remote code execution.

Users of Siyuan's Electron desktop client are particularly at risk due to the potential for Remote Code Execution. Individuals who frequently import .sy documents from external sources, especially those who share notes or collaborate with others, are also at higher risk. Shared hosting environments where multiple users share the same Siyuan installation are also vulnerable.

• windows / supply-chain: Monitor PowerShell execution for suspicious commands related to file manipulation and import processes. Check Autoruns for unusual entries related to Siyuan.

Get-Process -Name siyuan | Select-Object -ExpandProperty Path

• linux / server: Monitor system logs (journalctl) for errors or unusual activity related to Siyuan's import functionality.

journalctl -u siyuan -f | grep -i error

• generic web: Examine access and error logs for requests related to importing .sy.zip files. Check for unusual characters or patterns in the request parameters. • database (mysql, redis, mongodb, postgresql): N/A - This vulnerability does not directly impact databases.

1. 2026-04-01Disclosure

   disclosure

2. 2026-03-29Patch

   patch

1. Reserviert2026-03-30
2. Veröffentlicht2026-04-01
3. Geändert2026-04-06
4. EPSS aktualisiert2026-04-08

The primary mitigation for CVE-2026-34585 is to immediately upgrade to version 0.0.0-20260329142331-918d1bd9f967 or later. If upgrading is not immediately feasible, consider temporarily disabling the import functionality for .sy.zip files. While not a complete solution, this reduces the attack surface. Review any imported .sy documents for suspicious content before opening them. There are no specific WAF or proxy rules that can directly prevent this type of XSS, as it relies on crafted document content. Monitor SiYuan application logs for unusual activity or errors related to document parsing and attribute handling.