CVE-2026-34585

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.2

Description SiYuan is a personal knowledge management system. A crafted block attribute value can bypass server-side attribute escaping when an HTML entity is mixed with raw special characters. An attacker can embed a malicious IAL value inside a .sy document, package it as a .sy.zip, and have the victim import it through the Import .sy.zip workflow. Once the note is opened, the malicious attribute breaks out of its original HTML context and injects an event handler, resulting in stored cross-site scripting (XSS). In the Electron desktop client, this XSS can lead to remote code execution because injected JavaScript runs with access to Node/Electron APIs. The issue involves manipulating block attributes and exploiting the interaction between HTML entities and special characters.

Recommendations Update to version 3.6.2.