Platform
go
Component
github.com/siyuan-note/siyuan/kernel
Fixed in
3.6.3
3.6.2
CVE-2026-34448 describes a critical stored Cross-Site Scripting (XSS) vulnerability within the Siyuan Kernel, a core component of the Siyuan note-taking application. An attacker can exploit this flaw by injecting a malicious URL into an Attribute View mAsse field. When a victim subsequently opens the Gallery or Kanban view with “Cover From -> Asset Field” enabled, the injected script executes, potentially leading to arbitrary OS command execution.
The impact of this vulnerability is severe. Successful exploitation allows an attacker to execute arbitrary JavaScript code within the context of the victim's Siyuan application. Because the Electron desktop client utilizes nodeIntegration without contextIsolation, the injected JavaScript gains access to the underlying operating system. This enables attackers to perform actions such as stealing sensitive data, installing malware, or gaining persistent access to the victim's system. The ability to execute OS commands significantly expands the attack surface and potential damage, making this a high-priority vulnerability to address.
CVE-2026-34448 was publicly disclosed on 2026-03-31. While no public proof-of-concept (PoC) code has been released as of this writing, the vulnerability's severity and potential for OS command execution suggest a high probability of exploitation. The vulnerability is not currently listed on CISA KEV, but its criticality warrants close monitoring. Given the ease of exploitation (simply injecting a URL), active campaigns are possible.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34448 is to immediately upgrade to Siyuan version 3.6.2 or later. This version includes a fix that properly sanitizes URLs entered into Attribute View fields, preventing the injection of malicious scripts. If upgrading is not immediately feasible, consider temporarily disabling the “Cover From -> Asset Field” feature in Gallery and Kanban views to reduce the attack surface. While not a complete solution, this can help limit the potential for exploitation. Monitor Siyuan logs for unusual activity or unexpected URL patterns in Attribute View fields. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into an Attribute View field and verifying that it is properly sanitized and does not execute.
Update SiYuan to version 3.6.2 or later. This fixes the stored XSS vulnerability that allows arbitrary command execution in the desktop client.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34448 is a critical stored XSS vulnerability in the Siyuan Kernel, allowing attackers to inject malicious URLs into Attribute View fields, potentially leading to OS command execution.
You are affected if you are using Siyuan Kernel versions prior to 3.6.2 and have the “Cover From -> Asset Field” feature enabled in Gallery or Kanban views.
Upgrade to Siyuan version 3.6.2 or later to remediate the vulnerability. Temporarily disabling “Cover From -> Asset Field” can reduce the attack surface.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high probability of active exploitation.
Refer to the official Siyuan release notes and security advisories on the Siyuan GitHub repository for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.