How to fix CVE-2026-34585?

Within 24 hours: Identify all SiYuan deployments and users (check installed versions via Help > About or local filesystem inspection). Communicate import restriction advisory to users-do not open .sy.zip files from untrusted sources. Within 7 days: Monitor vendor advisories for patch release (check siyuan.notion.site or GitHub releases); establish a testing environment for patch validation once available. Within 30 days: Deploy patched SiYuan version 3.6.2 or later to all endpoints; conduct security awareness training on import file verification practices.

CVE-2026-34585

EUVD-2026-17685 HIGH

2026-03-31 [email protected]

GHSA-ff66-236v-p4fg

8.6

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Apr 01, 2026 - 02:30 nvd

Patch available

Analysis Generated

Mar 31, 2026 - 22:22 vuln.today

EUVD ID Assigned

Mar 31, 2026 - 22:22 euvd

EUVD-2026-17685

CVE Published

Mar 31, 2026 - 22:16 nvd

HIGH 8.6

Description

SiYuan is a personal knowledge management system. Prior to version 3.6.2, a vulnerability allows crafted block attribute values to bypass server-side attribute escaping when an HTML entity is mixed with raw special characters. An attacker can embed a malicious IAL value inside a .sy document, package it as a .sy.zip, and have the victim import it through the normal Import -> SiYuan .sy.zip workflow. Once the note is opened, the malicious attribute breaks out of its original HTML context and injects an event handler, resulting in stored XSS. In the Electron desktop client, this XSS reaches remote code execution because injected JavaScript runs with access to Node/Electron APIs. This issue has been patched in version 3.6.2.

Analysis

Stored cross-site scripting (XSS) in SiYuan personal knowledge management system versions prior to 3.6.2 escalates to remote code execution in the Electron desktop client. Attackers craft malicious .sy.zip import files containing HTML entities mixed with raw special characters that bypass server-side attribute escaping, injecting event handlers into imported notes. …

Remediation

Within 24 hours: Identify all SiYuan deployments and users (check installed versions via Help > About or local filesystem inspection). Communicate import restriction advisory to users-do not open .sy.zip files from untrusted sources. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +43

POC: 0

CVE-2026-34585 vulnerability details – vuln.today

Back

CVE-2026-34585

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-34585

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code