top of page
perceptive_background_267k.jpg

SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution (RCE) on any desktop running SiY…

Published:

30 March 2026 at 22:00:00

Alert date:

31 March 2026 at 23:02:28

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Enterprise Applications

SiYuan personal knowledge management system prior to version 3.6.2 contains a critical vulnerability allowing Remote Code Execution through permissive CORS policy exploitation. Malicious websites can inject JavaScript snippets via the API that execute in Electron's Node.js context with full OS access. The vulnerability requires no user interaction beyond visiting a malicious website while SiYuan is running. The issue stems from Access-Control-Allow-Origin: * and Access-Control-Allow-Private-Network: true configuration. This has been patched in version 3.6.2.

Technical details

Mitigation steps:

Affected products:

SiYuan

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-34449
https://github.com/siyuan-note/siyuan/issues/17246
https://github.com/siyuan-note/siyuan/releases/tag/v3.6.2
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-68p4-j234-43mv

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page