What is the CVSS score of CVE-2026-34448?

CVE-2026-34448 has a CVSS 3.1 base score of 9.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Siyuan are affected by CVE-2026-34448?

SiYuan knowledge management system versions prior to 3.6.2 contain a stored XSS vulnerability that allows authenticated users to inject malicious code into asset fields, escalating to arbitrary…. A patch is available.

How to fix or mitigate CVE-2026-34448?

Within 24 hours: Identify all SiYuan desktop client installations across your organization and document versions currently in use. Within 7 days: Deploy SiYuan version 3.6.2 or later to all affected systems; prioritize systems handling sensitive data or used by privileged users. Restrict creation of new Attribute View asset fields pending update. Within 30 days: Complete inventory verification that all instances are running 3.6.2+; audit Attribute View fields created during the vulnerability window for suspicious content.

Siyuan CVE-2026-34448

EUVD-2026-17675 CRITICAL

Cross-site Scripting (XSS) (CWE-79)

2026-03-31 security-advisories@github.com

GHSA-rx4h-526q-4458

XSS Command Injection Siyuan

9.0

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.0 CRITICAL

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Apr 01, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Mar 31, 2026 - 22:22 euvd

EUVD-2026-17675

Analysis Generated

Mar 31, 2026 - 22:22 vuln.today

CVE Published

Mar 31, 2026 - 22:16 nvd

CRITICAL 9.0

DescriptionGitHub Advisory

SiYuan is a personal knowledge management system. Prior to version 3.6.2, an attacker who can place a malicious URL in an Attribute View mAsse field can trigger stored XSS when a victim opens the Gallery or Kanban view with “Cover From -> Asset Field” enabled. The vulnerable code accepts arbitrary http(s) URLs without extensions as images, stores the attacker-controlled string in coverURL, and injects it directly into an <img src="..."> attribute without escaping. In the Electron desktop client, the injected JavaScript executes with nodeIntegration enabled and contextIsolation disabled, so the XSS reaches arbitrary OS command execution under the victim’s account. This issue has been patched in version 3.6.2.

AnalysisAI

Stored cross-site scripting (XSS) in SiYuan personal knowledge management system escalates to arbitrary operating system command execution on desktop clients. Authenticated attackers with low privileges can inject malicious URLs into Attribute View asset fields that execute JavaScript when victims view Gallery or Kanban layouts with "Cover From -> Asset Field" enabled. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Attacker crafts malicious URL in Attribute View

Delivery

Places URL in mAsse field

Exploit

Victim opens Gallery or Kanban view

Execution

Stored XSS payload executes in <img> tag

Persist

JavaScript runs with nodeIntegration enabled

Impact

Arbitrary code execution on victim system

Access

Attacker crafts malicious URL in Attribute View

Delivery

Places URL in mAsse field

Exploit

Victim opens Gallery or Kanban view

Execution

Stored XSS payload executes in <img> tag

Persist

JavaScript runs with nodeIntegration enabled

Impact

Arbitrary code execution on victim system

Vulnerability AssessmentAI

Exploitation	Attacker must have authenticated access to SiYuan (PR:L) to place malicious URL in Attribute View mAsse field. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 9.0 Critical rating accurately reflects real-world risk for desktop client users, though several factors moderate exploitation probability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker with authenticated access to a shared SiYuan workspace creates or modifies an Attribute View entry, inserting a crafted URL into an asset field such as "javascript:eval(String.fromCharCode(114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,40,39,99,97,108,99,39,41))" disguised to appear as a legitimate image reference. When a victim user opens the affected database in Gallery or Kanban view with asset-based covers enabled, the malicious URL is rendered into an img tag's src attribute without sanitization. …
Remediation	Upgrade immediately to SiYuan version 3.6.2 or later, released by the vendor to address this vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all SiYuan desktop client installations across your organization and document versions currently in use. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-34448 vulnerability details – vuln.today

Back

Siyuan CVE-2026-34448

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code