Skip to main content

Node.js CVE-2026-34449

| EUVDEUVD-2026-17676 CRITICAL
Permissive Cross-domain Security Policy with Untrusted Domains (CWE-942)
2026-03-31 security-advisories@github.com GHSA-68p4-j234-43mv
9.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Apr 01, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Mar 31, 2026 - 22:22 euvd
EUVD-2026-17676
Analysis Generated
Mar 31, 2026 - 22:22 vuln.today
CVE Published
Mar 31, 2026 - 22:16 nvd
CRITICAL 9.6

DescriptionGitHub Advisory

SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution (RCE) on any desktop running SiYuan by exploiting the permissive CORS policy (Access-Control-Allow-Origin: * + Access-Control-Allow-Private-Network: true) to inject a JavaScript snippet via the API. The injected snippet executes in Electron's Node.js context with full OS access the next time the user opens SiYuan's UI. No user interaction is required beyond visiting the malicious website while SiYuan is running. This issue has been patched in version 3.6.2.

AnalysisAI

Remote code execution in SiYuan desktop application (versions prior to 3.6.2) allows unauthenticated remote attackers to execute arbitrary code with full operating system privileges through CORS misconfiguration. A malicious website can inject JavaScript into the Electron-based application's Node.js context via the permissive API (Access-Control-Allow-Origin: * with Access-Control-Allow-Private-Network: true), which executes with OS-level access when the user next opens SiYuan's interface. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Victim visits malicious website
Delivery
Website exploits permissive CORS policy
Exploit
Inject malicious JavaScript via SiYuan API
Execution
Execute code in Electron Node.js context
Impact
Achieve full OS-level remote code execution

Vulnerability AssessmentAI

Exploitation SiYuan desktop versions prior to 3.6.2 with permissive CORS policy (Access-Control-Allow-Origin: * and Access-Control-Allow-Private-Network: true) enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is high despite requiring user interaction (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a malicious website containing JavaScript that targets SiYuan's localhost API. When a victim running SiYuan (pre-3.6.2) visits this site during normal web browsing, the permissive CORS policy allows the attacker's script to make cross-origin requests to inject a persistent JavaScript payload via the API. …
Remediation Upgrade immediately to SiYuan version 3.6.2 or later, released February 2025, which patches the permissive CORS configuration. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all SiYuan installations across the organization and identify users running versions prior to 3.6.2; notify affected users to immediately discontinue use until patched. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-54782 CRITICAL POC
9.4 Aug 02

Nest is a framework for building scalable Node.js server-side applications. Rated critical severity (CVSS 9.4), this vul

CVE-2026-41679 CRITICAL POC
10.0 Apr 23

Remote unauthenticated attackers achieve full code execution on Paperclip AI orchestration servers (versions prior to 20

CVE-2026-21877 CRITICAL POC
9.9 Jan 08

n8n workflow automation (through 1.121.2) allows authenticated users to execute arbitrary code via the n8n service, with

CVE-2026-41264 CRITICAL POC
9.2 Apr 21

## Abstract Trend Micro's Zero Day Initiative has identified a vulnerability affecting FlowiseAI Flowise. ## Vulnerabi

CVE-2026-21858 CRITICAL POC
10.0 Jan 08

n8n workflow automation (1.65.0 to 1.121.0) allows unauthenticated file access through form-based workflows. A critical

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2026-22686 CRITICAL POC
10.0 Jan 14

enclave-vm JavaScript sandbox (before 2.7.0) has a critical sandbox escape. When a tool invocation fails, a host-side Er

CVE-2026-42043 CRITICAL POC
10.0 Apr 24

NO_PROXY protection bypass in Axios HTTP client (versions 1.0.0-1.15.0 and ≤0.31.0) lets an attacker who controls a requ

CVE-2026-47668 CRITICAL POC
10.0 Jun 05

Unauthenticated remote code execution in DbGate (npm package dbgate-serve, versions <= 7.1.8) lets remote attackers exec

Share

CVE-2026-34449 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy