top of page
perceptive_background_267k.jpg

SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution (RCE) on any desktop running SiY…

Published:

30 maart 2026 om 22:00:00

Alert date:

31 maart 2026 om 23:02:28

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Enterprise Applications

SiYuan personal knowledge management system prior to version 3.6.2 contains a critical vulnerability allowing Remote Code Execution through permissive CORS policy exploitation. Malicious websites can inject JavaScript snippets via the API that execute in Electron's Node.js context with full OS access. The vulnerability requires no user interaction beyond visiting a malicious website while SiYuan is running. The issue stems from Access-Control-Allow-Origin: * and Access-Control-Allow-Private-Network: true configuration. This has been patched in version 3.6.2.

Technical details

Mitigation steps:

Affected products:

SiYuan

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-34449
https://github.com/siyuan-note/siyuan/issues/17246
https://github.com/siyuan-note/siyuan/releases/tag/v3.6.2
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-68p4-j234-43mv

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page