CVE-2026-32751

Name of the Vulnerable Software and Affected Versions SiYuan versions 3.6.0 and below SiYuan versions prior to 3.6.1

Description SiYuan is a personal knowledge management system. The mobile file tree component (MobileFiles.ts) renders notebook names using innerHTML without proper HTML escaping when processing renamenotebook WebSocket events. The desktop version (Files.ts) correctly utilizes escapeHtml() for the same operation. This allows an authenticated user with notebook renaming privileges to inject arbitrary HTML and JavaScript code, which will be executed on any mobile client displaying the file tree. The Electron environment is configured with nodeIntegration: true and contextIsolation: false, granting the injected JavaScript full access to Node.js functionalities. This escalates a stored cross-site scripting (XSS) issue to full remote code execution. The mobile layout is also used in the Electron desktop application when the window is narrow, making the issue exploitable on desktop as well. The backend API endpoint POST /api/notebook/renameNotebook is involved in this process, and the vulnerable code is located in app/src/mobile/dock/MobileFiles.ts:77. The backend component kernel/api/notebook.go:104-116 sends unescaped names.

Recommendations Versions prior to 3.6.1: Apply the same escaping used in the desktop version by replacing innerHTML = data.data.name with innerHTML = escapeHtml(data.data.name) in MobileFiles.ts. Versions prior to 3.6.1: Sanitize notebook names on the backend using a function like util.EscapeHTML(name) in RenameBox(). Versions prior to 3.6.1: As a long-term solution, harden the Electron configuration by setting nodeIntegration: false, contextIsolation: true, and sandbox: true.