CVE-2026-34585
Description
SiYuan is a personal knowledge management system. Prior to version 3.6.2, a vulnerability allows crafted block attribute values to bypass server-side attribute escaping when an HTML entity is mixed with raw special characters. An attacker can embed a malicious IAL value inside a .sy document, package it as a .sy.zip, and have the victim import it through the normal Import -> SiYuan .sy.zip workflow. Once the note is opened, the malicious attribute breaks out of its original HTML context and injects an event handler, resulting in stored XSS. In the Electron desktop client, this XSS reaches remote code execution because injected JavaScript runs with access to Node/Electron APIs. This issue has been patched in version 3.6.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/siyuan-note/siyuan/kernelGo | < 0.0.0-20260329142331-918d1bd9f967 | 0.0.0-20260329142331-918d1bd9f967 |
Affected products
2- Range: dev2.0.17-2, v0.1.0, v0.1.1, …
- ghsa-coordsRange: < 0.0.0-20260329142331-918d1bd9f967
Patches
Vulnerability mechanics
References
6- github.com/siyuan-note/siyuan/security/advisories/GHSA-ff66-236v-p4fgnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-ff66-236v-p4fgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-34585ghsaADVISORY
- github.com/siyuan-note/siyuan/commit/918d1bd9f967d888f474f6764744a3d8cca4a501ghsaWEB
- github.com/siyuan-note/siyuan/issues/17246nvdIssue TrackingWEB
- github.com/siyuan-note/siyuan/releases/tag/v3.6.2nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.