CVE-2026-34448

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.2

Description SiYuan is a personal knowledge management system susceptible to a stored cross-site scripting (XSS) issue. An attacker can inject a malicious URL into an Attribute View mAsse field. When a victim opens the Gallery or Kanban view with “Cover From -> Asset Field” enabled, the malicious URL is executed. The vulnerable code accepts arbitrary http(s) URLs without extensions as images, stores the attacker-controlled string in coverURL, and injects it directly into an <img src="..."> attribute without proper escaping. In the Electron desktop client, the injected JavaScript executes with nodeIntegration enabled and contextIsolation disabled, leading to arbitrary OS command execution under the victim’s account. The vulnerable flow involves the IsPossiblyImage(assetPath) function accepting unsafe image URLs and the direct insertion of coverURL into the HTML without escaping. A payload such as https://example.com/" onerror="require('child process').exec('calc') can be used to trigger the XSS.

Recommendations Versions prior to 3.6.2 should be updated to version 3.6.2 or later.