CVE-2026-34585
Description
SiYuan is a personal knowledge management system. Prior to version 3.6.2, a vulnerability allows crafted block attribute values to bypass server-side attribute escaping when an HTML entity is mixed with raw special characters. An attacker can embed a malicious IAL value inside a .sy document, package it as a .sy.zip, and have the victim import it through the normal Import -> SiYuan .sy.zip workflow. Once the note is opened, the malicious attribute breaks out of its original HTML context and injects an event handler, resulting in stored XSS. In the Electron desktop client, this XSS reaches remote code execution because injected JavaScript runs with access to Node/Electron APIs. This issue has been patched in version 3.6.2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/siyuan-note/siyuan/kernelGo | < 0.0.0-20260329142331-918d1bd9f967 | 0.0.0-20260329142331-918d1bd9f967 |
Affected products
1- Range: dev2.0.17-2, v0.1.0, v0.1.1, …
Patches
1918d1bd9f967:lock: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-ff66-236v-p4fg
4 files changed · +17 −3
kernel/go.mod+1 −1 modified@@ -8,7 +8,7 @@ require ( github.com/88250/epub v0.0.0-20230830085737-c19055cd1f48 github.com/88250/go-humanize v0.0.0-20240424102817-4f78fac47ea7 github.com/88250/gulu v1.2.3-0.20260124101918-98654a7ca98a - github.com/88250/lute v1.7.7-0.20260321150117-91fef4014208 + github.com/88250/lute v1.7.7-0.20260329134828-30ee1cf08d47 github.com/88250/vitess-sqlparser v0.0.0-20210205111146-56a2ded2aba1 github.com/ClarkThan/ahocorasick v0.0.0-20231011042242-30d1ef1347f4 github.com/ConradIrwin/font v0.2.1
kernel/go.sum+2 −2 modified@@ -14,8 +14,8 @@ github.com/88250/go-sqlite3 v1.14.13-0.20231214121541-e7f54c482950 h1:Pa5hMiBceT github.com/88250/go-sqlite3 v1.14.13-0.20231214121541-e7f54c482950/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU= github.com/88250/gulu v1.2.3-0.20260124101918-98654a7ca98a h1:s86WMolaqommXG1k2vXg9Gf1iXvgtHSdeD0eeJTQVR8= github.com/88250/gulu v1.2.3-0.20260124101918-98654a7ca98a/go.mod h1:D+Db16m0N7r9MLZCMcj1a0ZsEGQAxDZkadOn79Gh0vI= -github.com/88250/lute v1.7.7-0.20260321150117-91fef4014208 h1:XC08FBuhc2FTebSxE51xHg+u97+7buMfI6bjsHmHws8= -github.com/88250/lute v1.7.7-0.20260321150117-91fef4014208/go.mod h1:WYyUw//5yVw9BJnoVjx7rI/3szsISxNZCYGOqTIrV0o= +github.com/88250/lute v1.7.7-0.20260329134828-30ee1cf08d47 h1:IoVGy/RDVpnBJWMtgaSffj8ch2XhLT57Z0poWcSw6eM= +github.com/88250/lute v1.7.7-0.20260329134828-30ee1cf08d47/go.mod h1:WYyUw//5yVw9BJnoVjx7rI/3szsISxNZCYGOqTIrV0o= github.com/88250/pdfcpu v0.3.14-0.20250424122812-f10e8d9d8d46 h1:Bq1JsDfVbHKUxNL/B2JXd8cC/1h6aFjrlXpGycnh0Hk= github.com/88250/pdfcpu v0.3.14-0.20250424122812-f10e8d9d8d46/go.mod h1:fVfOloBzs2+W2VJCCbq60XIxc3yJHAZ0Gahv1oO0gyI= github.com/88250/vitess-sqlparser v0.0.0-20210205111146-56a2ded2aba1 h1:48T899JQDwyyRu9yXHePYlPdHtpJfrJEUGBMH3SMBWY=
kernel/model/file.go+3 −0 modified@@ -740,6 +740,9 @@ func GetDoc(startID, endID, id string, index int, query string, queryTypes map[s } subTree.Root.AppendChild(n) + for _, ial := range n.KramdownIAL { + ial[1] = util.SanitizeAttr(ial[1]) + } } luteEngine.RenderOptions.NodeIndexStart = index
kernel/util/misc.go+11 −0 modified@@ -212,6 +212,17 @@ func GetContainsSubStrs(s string, subStrs []string) (ret []string) { return } +func SanitizeAttr(attr string) string { + attr = strings.TrimSpace(attr) + h := "<div data-attr=\"" + attr + "\">" + p := bluemonday.UGCPolicy() + p.AllowDataAttributes() + ret := p.Sanitize(h) + ret = strings.TrimPrefix(ret, "<div data-attr=\"") + ret = strings.TrimSuffix(ret, "\">") + return ret +} + func SanitizeImgSrc(src string) string { src = strings.TrimSpace(src) h := "<img src=\"" + src + "\">"
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/siyuan-note/siyuan/security/advisories/GHSA-ff66-236v-p4fgnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-ff66-236v-p4fgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-34585ghsaADVISORY
- github.com/siyuan-note/siyuan/commit/918d1bd9f967d888f474f6764744a3d8cca4a501ghsaWEB
- github.com/siyuan-note/siyuan/issues/17246nvdIssue TrackingWEB
- github.com/siyuan-note/siyuan/releases/tag/v3.6.2nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.