Platform
go
Component
github.com/siyuan-note/siyuan/kernel
Fixed in
3.6.3
0.0.0-20260329142331-918d1bd9f967
CVE-2026-34585 describes a stored Cross-Site Scripting (XSS) vulnerability within the Siyuan Kernel, the core of the Siyuan note-taking application. An attacker can exploit this flaw by crafting malicious attributes within a .sy document and importing it, allowing for the injection of arbitrary JavaScript. This vulnerability poses a significant risk, particularly in the Electron desktop client where the injected JavaScript can lead to Remote Code Execution (RCE). The vulnerability affects versions prior to 0.0.0-20260329142331-918d1bd9f967, and a fix has been released.
The primary impact of CVE-2026-34585 is the ability for an attacker to execute arbitrary JavaScript code within the context of a victim's Siyuan application. This can be achieved by embedding a malicious IAL (Internal Application Language) value inside a .sy document, packaging it as a .sy.zip file, and tricking the victim into importing it. The vulnerability bypasses server-side attribute escaping, allowing the attacker to inject event handlers that break out of their original HTML context. In the Electron desktop client, this injected JavaScript runs with elevated privileges, enabling the attacker to potentially steal sensitive data, modify notes, or even gain control of the user's system. The potential for RCE significantly elevates the severity of this vulnerability, making it a high-priority target for attackers.
CVE-2026-34585 was publicly disclosed on 2026-04-01. There is currently no indication of active exploitation campaigns targeting this vulnerability. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's nature and potential for RCE make it a likely target for exploitation. The vulnerability is tracked by the NVD and CISA. The EPSS score is pending evaluation, but the potential for RCE suggests a medium to high probability of exploitation if a PoC is released.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34585 is to immediately upgrade to version 0.0.0-20260329142331-918d1bd9f967 or later. If upgrading is not immediately feasible, consider restricting the import of .sy.zip files from untrusted sources. Implement a strict content security policy (CSP) within the Siyuan application to limit the execution of inline scripts. While a direct WAF rule is unlikely to be effective due to the nature of the vulnerability, carefully scrutinizing imported .sy files for suspicious IAL values could provide an additional layer of defense. After upgrading, confirm the fix by attempting to import a known malicious .sy.zip file (in a test environment) and verifying that the injected JavaScript is not executed.
Update SiYuan to version 3.6.2 or later. This version contains a fix for the stored XSS vulnerability that allows arbitrary command execution. The update can be performed through the built-in update system in the application or by downloading the latest version from the official website.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34585 is a stored Cross-Site Scripting (XSS) vulnerability in Siyuan Kernel that allows attackers to inject malicious JavaScript through crafted .sy documents.
You are affected if you are using Siyuan Kernel versions prior to 0.0.0-20260329142331-918d1bd9f967, especially if you use the Electron desktop client.
Upgrade to version 0.0.0-20260329142331-918d1bd9f967 or later. Restrict import of untrusted .sy.zip files.
There is currently no evidence of active exploitation, but the potential for RCE makes it a likely target.
Refer to the official Siyuan project website and GitHub repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.