CVE-2026-32751
Published: 19 March 2026
Summary
CVE-2026-32751 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in B3Log Siyuan. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 45.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates filtering and encoding of information like notebook names prior to rendering via innerHTML, directly preventing the stored XSS injection from executing malicious HTML/JavaScript.
Requires validation of inputs from renamenotebook WebSocket events to block or sanitize arbitrary HTML/JavaScript payloads before storage.
Ensures timely identification, reporting, and patching of flaws like the unescaped rendering in MobileFiles.ts, as demonstrated by the fix in version 3.6.1.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The stored XSS vulnerability allows arbitrary JavaScript injection in an Electron app with nodeIntegration enabled, directly enabling remote code execution via client-side exploitation.
NVD Description
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the mobile file tree (MobileFiles.ts) renders notebook names via innerHTML without HTML escaping when processing renamenotebook WebSocket events. The desktop version (Files.ts) properly uses escapeHtml() for the same…
more
operation. An authenticated user who can rename notebooks can inject arbitrary HTML/JavaScript that executes on any mobile client viewing the file tree. Since Electron is configured with nodeIntegration: true and contextIsolation: false, the injected JavaScript has full Node.js access, escalating stored XSS to full remote code execution. The mobile layout is also used in the Electron desktop app when the window is narrow, making this exploitable on desktop as well. This issue has been fixed in version 3.6.1.
Deeper analysisAI
CVE-2026-32751 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting SiYuan, a personal knowledge management system, in versions 3.6.0 and prior. The issue resides in the mobile file tree component (MobileFiles.ts), which renders notebook names using innerHTML without HTML escaping during processing of renamenotebook WebSocket events. In contrast, the desktop version (Files.ts) correctly applies escapeHtml(). The vulnerability carries a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).
An authenticated attacker with permission to rename notebooks can inject arbitrary HTML and JavaScript into notebook names. This payload executes as stored XSS on any mobile client viewing the affected file tree. Due to the Electron application's configuration with nodeIntegration enabled and contextIsolation disabled, the injected JavaScript gains full Node.js access, enabling remote code execution. The mobile layout activates in the Electron desktop app on narrow windows, extending exploitability to desktop environments.
The vulnerability has been addressed in SiYuan version 3.6.1. Relevant resources include the fixing commit at https://github.com/siyuan-note/siyuan/commit/f6d35103f774b65e52f03e018649ff0e57924fb0, the release notes at https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1, and the security advisory at https://github.com/siyuan-note/siyuan/security/advisories/GHSA-qr46-rcv3-4hq3, which recommend upgrading to the patched version for mitigation.
Details
- CWE(s)