CVE-2026-34449：思源笔记RCE漏洞，≤3.6.2版本受影响

SiYuan中的CVE-2026-34449漏洞允许在运行该软件的任何桌面计算机上执行远程代码（RCE）。这归因于过于宽松的跨域资源共享（CORS）配置，允许恶意网站通过SiYuan API注入JavaScript代码。Access-Control-Allow-Origin: *以及Access-Control-Allow-Private-Network: true设置简化了这种注入。注入代码将在SiYuan中的Electron Node.js上下文中执行，从而授予攻击者对操作系统完全访问权限。用户无需进行任何操作，只需在SiYuan运行时访问恶意网站即可。

Users of SiYuan who are running versions prior to 3.6.2 are at significant risk. This includes individuals using SiYuan for personal note-taking, as well as organizations that rely on SiYuan for collaborative knowledge management. Users who frequently visit untrusted websites or have a history of clicking on suspicious links are particularly vulnerable.

• linux / server: Monitor SiYuan's API endpoints for unusual JavaScript requests using journalctl -f -u siyuan. Look for POST requests containing suspicious JavaScript code. • generic web: Use curl to test SiYuan's API endpoints with crafted requests containing JavaScript payloads. Examine the response headers for any signs of code execution. • windows / supply-chain: Monitor PowerShell execution logs (Get-WinEvent -LogName Application -Filter "[System[Provider[@Name='PowerShell']]]" | Where-Object {$_.Message -like 'siyuan'}) • database (generic): Examine SiYuan's configuration files for any unusual CORS settings or API keys that could be exploited.

1. 2026-03-31Disclosure

   disclosure

2. 2026-03-31Patch

   patch

1. 已保留2026-03-27
2. 发布日期2026-03-31
3. 修改日期2026-04-06
4. EPSS 更新日期2026-04-08

建议的解决方案是将SiYuan更新到3.6.2或更高版本。此版本更正了限制性的CORS配置，消除了恶意代码注入的可能性。如果无法立即更新，建议不要使用时禁用SiYuan API。在SiYuan运行时，尤其是在访问未知或可疑网站时，务必小心谨慎。监控SiYuan的网络活动也有助于检测潜在的利用尝试。