Platform
go
Component
github.com/siyuan-note/siyuan/kernel
Fixed in
3.6.3
3.6.3
3.6.2
CVE-2026-34449 represents a critical Remote Code Execution (RCE) vulnerability within the SiYuan Kernel, the core of the SiYuan note-taking application. An attacker can leverage this flaw to execute arbitrary code on a user's system simply by enticing them to visit a malicious website while SiYuan is running. This vulnerability impacts versions of SiYuan Kernel prior to 3.6.2, and a patch has been released to address the issue.
The impact of CVE-2026-34449 is severe. Successful exploitation allows an attacker to execute arbitrary code on the victim's machine with the privileges of the SiYuan process, effectively granting them full OS access. This could lead to data theft, malware installation, system compromise, and lateral movement within a network. The vulnerability's reliance on a simple website visit, without requiring user interaction beyond that, significantly broadens the attack surface and makes it easier to exploit. The permissive CORS policy (Access-Control-Allow-Origin: * + Access-Control-Allow-Private-Network: true) is the root cause, enabling the injection of malicious JavaScript.
CVE-2026-34449 was publicly disclosed on 2026-03-31. The vulnerability's simplicity and the lack of user interaction required for exploitation suggest a potentially high probability of exploitation. No public proof-of-concept (PoC) code has been publicly released as of this writing, but the ease of exploitation makes it likely that PoCs will emerge. It is not currently listed on CISA KEV, but its criticality warrants close monitoring. The vulnerability's reliance on CORS misconfiguration is a common attack vector, and similar vulnerabilities have been exploited in the past.
Exploit Status
EPSS
0.14% (34% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34449 is to immediately upgrade SiYuan Kernel to version 3.6.2 or later. Until the upgrade is possible, consider temporarily disabling SiYuan or restricting network access to the application. While a direct workaround is not available, implementing strict content security policies (CSPs) within the SiYuan application itself could potentially reduce the attack surface, though this would require significant code modification. Monitor network traffic for suspicious requests to SiYuan's API endpoints, particularly those involving JavaScript injection attempts. After upgrading, confirm the fix by attempting to access a known malicious website while SiYuan is running and verifying that no code execution occurs.
Update SiYuan to version 3.6.2 or higher. This version contains a fix for the Remote Code Execution (RCE) vulnerability via CORS and JavaScript injection.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34449 is a critical Remote Code Execution vulnerability in SiYuan Kernel, allowing attackers to execute code on a user's system by exploiting permissive CORS settings.
Yes, if you are using SiYuan Kernel versions prior to 3.6.2, you are vulnerable to this RCE attack.
Upgrade SiYuan Kernel to version 3.6.2 or later to mitigate the vulnerability. Until then, consider disabling SiYuan or restricting network access.
While no public exploits are currently known, the vulnerability's simplicity suggests a high probability of exploitation, and it should be treated as an active threat.
Refer to the official SiYuan security advisory for detailed information and updates: [https://github.com/siyuan-note/siyuan/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory link)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.