CriticalPublic exploit

Stored XSS to RCE in SiYuan Attribute View Cover Asset Handling

IdentifiersCVE-2026-34448CWE-79· Improper Neutralization of Input…

CVE-2026-34448 affects SiYuan, a personal knowledge management system. In versions prior to 3.6.2, an attacker who can place a malicious URL into an Attribute View mAsse field can trigger a stored cross-site scripting condition when a victim opens the Gallery or Kanban view with "Cover From -> Asset Field" enabled. The vulnerable logic accepts arbitrary HTTP(S) URLs without file extensions as image sources, stores the attacker-controlled value in coverURL, and injects it directly into an <img src="..."> attribute without proper escaping or neutralization. In the Electron desktop client, the impact is amplified because nodeIntegration is enabled and contextIsolation is disabled, allowing injected JavaScript to escape the browser context and reach arbitrary operating system command execution under the victim user context.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation yields stored XSS in SiYuan and, in the Electron desktop client, can escalate to arbitrary OS command execution as the victim user. This can result in full compromise of the victim’s SiYuan data, theft of locally accessible secrets, arbitrary file access within the user’s permissions, installation of persistence mechanisms, lateral movement opportunities via harvested credentials or tokens, and potential disruption or destruction of user data. The provided context indicates high impact to confidentiality, integrity, and availability.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, reduce exposure by preventing untrusted users from writing attacker-controlled values into Attribute View mAsse fields, disabling or avoiding Gallery and Kanban views that use "Cover From -> Asset Field," and restricting use of untrusted shared content. In the Electron client, hardening measures such as disabling nodeIntegration and enabling contextIsolation would reduce the XSS-to-RCE escalation path, though the provided context only confirms these settings as contributing factors rather than documenting them as an official vendor mitigation.

Remediation

Patch, then assume compromise.

Upgrade SiYuan to version 3.6.2 or later, which patches the vulnerable handling of attacker-controlled cover URLs. Apply the vendor fix referenced in the SiYuan 3.6.2 release and associated GitHub Security Advisory. Any deployment remaining on versions prior to 3.6.2 should be considered vulnerable.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

B3logSiyuanapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

nuclei templates pull requestsNews

Apr 17, 2026

[Bounty] Add 5 Nuclei templates for April 2026 CVEs (Batch 10) by eyangfeng88-arch · Pull Request #15961 · projectdiscovery/nuclei-templates · GitHub

A vulnerability affecting SiYuan Note described as enabling XSS leading to remote code execution.

cvefeed high severityNews

Mar 31, 2026

CVE-2026-34448 - SiYuan: Stored XSS in Attribute View gallery/kanban cover rendering allows arbitrary command execution in the desktop client

A stored XSS vulnerability in SiYuan prior to version 3.6.2 that can lead to arbitrary OS command execution in the Electron desktop client due to unsafe URL handling and insecure Electron settings.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity8

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-34448

NVD

nvd.nist.gov/vuln/detail/CVE-2026-34448

MITRE CWE · CWE-79

Improper Neutralization of Input During Web…

Vendor Advisory

github.com/siyuan-note/siyuan/security/advisories/GHSA-rx4h-526q-4458

Release Notes

github.com/siyuan-note/siyuan/releases/tag/v3.6.2

Issue Tracking

github.com/siyuan-note/siyuan/issues/17246