CVE-2026-34449

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.2

Description A security flaw exists in SiYuan that allows a malicious website to achieve Remote Code Execution (RCE) on a desktop system running the application. This is possible due to a permissive CORS policy (Access-Control-Allow-Origin: * + Access-Control-Allow-Private-Network: true) which allows the injection of a JavaScript snippet via the API. The injected snippet executes within Electron's Node.js context, granting full operating system access when the user opens SiYuan's UI. The attack requires only a visit to the malicious website while SiYuan is running, and does not require any user interaction. The vulnerability resides in the CORS middleware (kernel/server/serve.go, lines 960-963) and the snippet injection endpoint (kernel/api/snippet.go, lines 93-128). The Access-Control-Allow-Private-Network: true header bypasses Chrome's Private Network Access protection, enabling cross-origin requests to the SiYuan API at 127.0.0.1:6806. The authentication middleware check is bypassed because the browser sends the session cookie with the cross-origin request. An attacker can exploit this by sending a POST request to the /api/snippet/setSnippet API endpoint with a malicious JavaScript snippet, which is then saved and executed by SiYuan. This allows for arbitrary code execution, data exfiltration, and potential persistence on the affected system.

Recommendations Update SiYuan to version 3.6.2 or later.