CVE-2026-34585HIGH 8.2EPSS p26.0%

CVE-2026-34585CVE-2026-34585

Description

SiYuan is a personal knowledge management system. Prior to version 3.6.2, a vulnerability allows crafted block attribute values to bypass server-side attribute escaping when an HTML entity is mixed with raw special characters. An attacker can embed a malicious IAL value inside a .sy document, package it as a .sy.zip, and have the victim import it through the normal Import -> SiYuan .sy.zip workflow. Once the note is opened, the malicious attribute breaks out of its original HTML context and injects an event handler, resulting in stored XSS. In the Electron desktop client, this XSS reaches remote code execution because injected JavaScript runs with access to Node/Electron APIs. This issue has been patched in version 3.6.2.

Scoring

CVSS 3.18.2 (HIGH)
VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS0.34% probability of exploitation · percentile 26.0% · 2026-06-19T12:03:05Z
Published2026-03-31
Last modified2026-04-03

Underlying weaknesses· 2

CWE-79CWE-94

References

  1. https://github.com/siyuan-note/siyuan/issues/17246
  2. https://github.com/siyuan-note/siyuan/releases/tag/v3.6.2
  3. https://github.com/siyuan-note/siyuan/security/advisories/GHSA-ff66-236v-p4fg
  4. https://github.com/siyuan-note/siyuan/security/advisories/GHSA-ff66-236v-p4fg

2

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-790%live
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-39846
CVE
CVE-2026-34448
CVE
CVE-2026-44586
CVE
CVE-2026-23852
CVE
CVE-2026-33066
CVE
CVE-2026-33067
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.