How to fix CVE-2026-34448?

Within 24 hours: Identify all SiYuan desktop client installations across your organization and document versions currently in use. Within 7 days: Deploy SiYuan version 3.6.2 or later to all affected systems; prioritize systems handling sensitive data or used by privileged users. Restrict creation of new Attribute View asset fields pending update. Within 30 days: Complete inventory verification that all instances are running 3.6.2+; audit Attribute View fields created during the vulnerability window for suspicious content.

Is Command Injection affected by CVE-2026-34448?

SiYuan knowledge management system versions prior to 3.6.2 contain a stored XSS vulnerability that allows authenticated users to inject malicious code into asset fields, escalating to arbitrary command execution on Windows, macOS, and Linux desktop clients.

CVE-2026-34448

EUVD-2026-17675 CRITICAL

2026-03-31 [email protected]

GHSA-rx4h-526q-4458

9.0

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Apr 01, 2026 - 02:30 nvd

Patch available

Analysis Generated

Mar 31, 2026 - 22:22 vuln.today

EUVD ID Assigned

Mar 31, 2026 - 22:22 euvd

EUVD-2026-17675

CVE Published

Mar 31, 2026 - 22:16 nvd

CRITICAL 9.0

Description

SiYuan is a personal knowledge management system. Prior to version 3.6.2, an attacker who can place a malicious URL in an Attribute View mAsse field can trigger stored XSS when a victim opens the Gallery or Kanban view with “Cover From -> Asset Field” enabled. The vulnerable code accepts arbitrary http(s) URLs without extensions as images, stores the attacker-controlled string in coverURL, and injects it directly into an <img src="..."> attribute without escaping. In the Electron desktop client, the injected JavaScript executes with nodeIntegration enabled and contextIsolation disabled, so the XSS reaches arbitrary OS command execution under the victim’s account. This issue has been patched in version 3.6.2.

Analysis

Stored cross-site scripting (XSS) in SiYuan personal knowledge management system escalates to arbitrary operating system command execution on desktop clients. Authenticated attackers with low privileges can inject malicious URLs into Attribute View asset fields that execute JavaScript when victims view Gallery or Kanban layouts with "Cover From -> Asset Field" enabled. …

Remediation

Within 24 hours: Identify all SiYuan desktop client installations across your organization and document versions currently in use. Within 7 days: Deploy SiYuan version 3.6.2 or later to all affected systems; prioritize systems handling sensitive data or used by privileged users. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +45

POC: 0

CVE-2026-34448 vulnerability details – vuln.today

Back

CVE-2026-34448

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-34448

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code