Description
SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution (RCE) on any desktop running SiYuan by exploiting the permissive CORS policy (Access-Control-Allow-Origin: * + Access-Control-Allow-Private-Network: true) to inject a JavaScript snippet via the API. The injected snippet executes in Electron's Node.js context with full OS access the next time the user opens SiYuan's UI. No user interaction is required beyond visiting the malicious website while SiYuan is running. This issue has been patched in version 3.6.2.
Published: 2026-03-31
Score: 9.7 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

SiYuan implements a permissive CORS policy that allows any origin to access its API with private network access. Based on the description, it is inferred that a malicious website can inject a JavaScript snippet through the API response, which then executes in Electron's Node.js context when the user opens the SiYuan UI. The injected code runs with full operating‑system privileges, enabling arbitrary code execution. The weakness aligns with CWE‑942 (Server‑Side Request Forgery), as it involves executing code on the client via an unauthorized request.

Affected Systems

The flaw affects the Siyuan personal knowledge management application provided by siyuan-note. All desktop installations running versions older than 3.6.2 are susceptible. The vulnerability is patched in release 3.6.2 and later, so only earlier builds remain at risk.

Risk and Exploitability

With a CVSS score of 9.7, the vulnerability is classified as critical. The EPSS score of less than 1% indicates a low current exploitation probability, and the issue is not listed in CISA’s KEV catalog. The attack vector is a passive cross‑origin request from an attacker‑controlled site that requires no user interaction beyond visiting the malicious website while SiYuan is running. An attacker can make a victim visit the site to inject the snippet, and the code will execute automatically the next time the user launches SiYuan, making the exploitation path straightforward for a capable adversary.

Generated by OpenCVE AI on April 3, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SiYuan to version 3.6.2 or newer
  • If an upgrade cannot be performed immediately, close or suspend SiYuan before browsing the web
  • Apply network filtering to block requests to SiYuan’s API from untrusted origins

Generated by OpenCVE AI on April 3, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-68p4-j234-43mv SiYuan is Vulnerable to Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection
History

Fri, 03 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared B3log
B3log siyuan
CPEs cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*
Vendors & Products B3log
B3log siyuan

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Siyuan
Siyuan siyuan
Vendors & Products Siyuan
Siyuan siyuan

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution (RCE) on any desktop running SiYuan by exploiting the permissive CORS policy (Access-Control-Allow-Origin: * + Access-Control-Allow-Private-Network: true) to inject a JavaScript snippet via the API. The injected snippet executes in Electron's Node.js context with full OS access the next time the user opens SiYuan's UI. No user interaction is required beyond visiting the malicious website while SiYuan is running. This issue has been patched in version 3.6.2.
Title SiYuan: Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection
Weaknesses CWE-942
References
Metrics cvssV3_1

{'score': 9.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

B3log Siyuan
Siyuan Siyuan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T15:52:56.545Z

Reserved: 2026-03-27T18:18:14.895Z

Link: CVE-2026-34449

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T22:16:19.830

Modified: 2026-04-03T16:57:32.883

Link: CVE-2026-34449

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:17:25Z

Weaknesses