CVE-2026-34448
Published: 31 March 2026
Summary
CVE-2026-34448 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in B3Log Siyuan. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 17.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates stored XSS by requiring filtering and encoding of outputs prior to insertion into HTML attributes like img src, addressing the unescaped injection of attacker-controlled URLs.
Prevents acceptance of arbitrary HTTP(S) URLs in the Asset field by validating inputs for consistency and safety before storage in coverURL.
Ensures timely identification, reporting, and remediation of software flaws like this XSS vulnerability via patching to version 3.6.2.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in SiYuan Electron client (nodeIntegration enabled, contextIsolation disabled) allows direct injection and execution of arbitrary JavaScript leading to OS command execution, mapping to client-side exploitation (T1203) and JavaScript interpreter use (T1059.007).
NVD Description
SiYuan is a personal knowledge management system. Prior to version 3.6.2, an attacker who can place a malicious URL in an Attribute View mAsse field can trigger stored XSS when a victim opens the Gallery or Kanban view with “Cover…
more
From -> Asset Field” enabled. The vulnerable code accepts arbitrary http(s) URLs without extensions as images, stores the attacker-controlled string in coverURL, and injects it directly into an <img src="..."> attribute without escaping. In the Electron desktop client, the injected JavaScript executes with nodeIntegration enabled and contextIsolation disabled, so the XSS reaches arbitrary OS command execution under the victim’s account. This issue has been patched in version 3.6.2.
Deeper analysisAI
CVE-2026-34448 is a stored cross-site scripting (XSS) vulnerability, associated with CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-94 (Improper Control of Generation of Code), affecting SiYuan, a personal knowledge management system, in versions prior to 3.6.2. The flaw occurs in the Attribute View Asset field, where the vulnerable code accepts arbitrary HTTP(S) URLs without file extensions as images. These URLs are stored in a coverURL variable and injected directly into an <img src="..."> attribute without escaping, enabling stored XSS when a victim opens the Gallery or Kanban view with the "Cover From -> Asset Field" option enabled.
An attacker with low privileges (PR:L) can exploit this by placing a malicious URL in an Asset field. When a victim user interacts (UI:R) by opening the affected view, the payload triggers in the Electron desktop client, where nodeIntegration is enabled and contextIsolation is disabled. This allows the injected JavaScript to execute with full access, escalating to arbitrary operating system command execution under the victim's account privileges. The vulnerability's CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H) reflects its high severity due to network accessibility, low complexity, and scope change leading to complete confidentiality, integrity, and availability impacts.
Mitigation is available via the patch in SiYuan version 3.6.2, as detailed in the project's release notes and security advisory. Security practitioners should advise users to update immediately and review configurations disabling "Cover From -> Asset Field" in Gallery or Kanban views as an interim measure. Additional details are provided in the GitHub security advisory (GHSA-rx4h-526q-4458), issue tracker (#17246), and release page (v3.6.2).
Details
- CWE(s)