Description
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the mobile file tree (MobileFiles.ts) renders notebook names via innerHTML without HTML escaping when processing renamenotebook WebSocket events. The desktop version (Files.ts) properly uses escapeHtml() for the same operation. An authenticated user who can rename notebooks can inject arbitrary HTML/JavaScript that executes on any mobile client viewing the file tree. Since Electron is configured with nodeIntegration: true and contextIsolation: false, the injected JavaScript has full Node.js access, escalating stored XSS to full remote code execution. The mobile layout is also used in the Electron desktop app when the window is narrow, making this exploitable on desktop as well. This issue has been fixed in version 3.6.1.
Published: 2026-03-19
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Stored XSS
Action: Apply Patch
AI Analysis

Impact

A stored cross‑site scripting flaw in the SiYuan mobile file tree allows an authenticated user to rename a notebook with malicious HTML or JavaScript. The application renders this name using innerHTML without escaping, causing the injected code to run on any mobile client that displays the file tree. Because the Electron environment is configured with nodeIntegration enabled and contextIsolation disabled, the script gains full Node.js access, transforming the stored XSS into full remote code execution that can compromise the entire system.

Affected Systems

The vulnerability affects the SiYuan personal knowledge management system released by siyuan‑note:siyuan. All versions up to and including 3.6.0 are susceptible; the issue was fixed in release 3.6.1. The same mobile interface code is also used by the Electron desktop app when the window is narrow, so desktop users in that view are also affected.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, and the EPSS score is less than 1 %, suggesting a low overall exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to be authenticated and able to rename notebooks, and the target client must render the vulnerable file tree. When these conditions are met, the attacker can execute arbitrary code with Node.js privileges, posing a significant risk to all accounts with rename rights.

Generated by OpenCVE AI on March 23, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SiYuan to version 3.6.1 or later to patch the remote code execution vulnerability.

Generated by OpenCVE AI on March 23, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qr46-rcv3-4hq3 SiYuan Vulnerable to Remote Code Execution via Stored XSS in Notebook Name - Mobile Interface
History

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared B3log
B3log siyuan
CPEs cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*
Vendors & Products B3log
B3log siyuan
Metrics cvssV3_1

{'score': 9.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Siyuan
Siyuan siyuan
Vendors & Products Siyuan
Siyuan siyuan

Thu, 19 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Description SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the mobile file tree (MobileFiles.ts) renders notebook names via innerHTML without HTML escaping when processing renamenotebook WebSocket events. The desktop version (Files.ts) properly uses escapeHtml() for the same operation. An authenticated user who can rename notebooks can inject arbitrary HTML/JavaScript that executes on any mobile client viewing the file tree. Since Electron is configured with nodeIntegration: true and contextIsolation: false, the injected JavaScript has full Node.js access, escalating stored XSS to full remote code execution. The mobile layout is also used in the Electron desktop app when the window is narrow, making this exploitable on desktop as well. This issue has been fixed in version 3.6.1.
Title SiYuan Vulnerable to Remote Code Execution via Stored XSS in Notebook Name - Mobile Interface
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

B3log Siyuan
Siyuan Siyuan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T01:42:28.407Z

Reserved: 2026-03-13T18:53:03.532Z

Link: CVE-2026-32751

cve-icon Vulnrichment

Updated: 2026-03-24T01:42:24.040Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T22:16:41.490

Modified: 2026-03-23T18:16:01.297

Link: CVE-2026-32751

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:46Z

Weaknesses