CVE-2026-34585
Published: 31 March 2026
Summary
CVE-2026-34585 is a high-severity Cross-site Scripting (CWE-79) vulnerability in B3Log Siyuan. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 23.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents crafted block attribute values in imported .sy.zip files from bypassing escaping by enforcing validation of all information inputs during the import workflow.
Filters output of parsed IAL attributes containing mixed HTML entities and special characters to block stored XSS event handlers when rendering notes.
Remediates the specific attribute parsing flaw by requiring timely flaw remediation, such as patching to SiYuan version 3.6.2.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables stored XSS via crafted IAL values in imported .sy.zip files, allowing arbitrary JavaScript execution in the Electron client that escalates to RCE, directly facilitating T1203 (Exploitation for Client Execution) and T1059.007 (JavaScript).
NVD Description
SiYuan is a personal knowledge management system. Prior to version 3.6.2, a vulnerability allows crafted block attribute values to bypass server-side attribute escaping when an HTML entity is mixed with raw special characters. An attacker can embed a malicious IAL…
more
value inside a .sy document, package it as a .sy.zip, and have the victim import it through the normal Import -> SiYuan .sy.zip workflow. Once the note is opened, the malicious attribute breaks out of its original HTML context and injects an event handler, resulting in stored XSS. In the Electron desktop client, this XSS reaches remote code execution because injected JavaScript runs with access to Node/Electron APIs. This issue has been patched in version 3.6.2.
Deeper analysisAI
SiYuan, a personal knowledge management system, contains a vulnerability (CVE-2026-34585) prior to version 3.6.2 that allows crafted block attribute values to bypass server-side attribute escaping when HTML entities are mixed with raw special characters. This flaw affects the parsing of inline attribute language (IAL) values in .sy documents, enabling stored cross-site scripting (XSS) when processed by the application. The issue is particularly severe in the Electron-based desktop client, where the resulting XSS payload gains access to Node.js and Electron APIs.
An attacker can exploit this by embedding a malicious IAL value in a .sy document, packaging it as a .sy.zip file, and tricking a victim into importing it via the standard Import -> SiYuan .sy.zip workflow. Upon opening the note, the payload escapes its HTML context, injects an event handler, and executes arbitrary JavaScript. In the Electron client, this escalates to remote code execution with full access to the application's privileges, requiring local access and user interaction but no authentication.
The vulnerability has been addressed in SiYuan version 3.6.2, as detailed in the project's release notes and security advisory (GHSA-ff66-236v-p4fg). Security practitioners should advise users to update to 3.6.2 or later and avoid importing untrusted .sy.zip files, with further technical details available in the associated GitHub issue (siYuan-note/siyuan#17246).
Details
- CWE(s)