Cyber Posture

CVE-2026-32751

CriticalPublic PoC

Published: 19 March 2026

Published
19 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score 9.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0023 45.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the mobile file tree (MobileFiles.ts) renders notebook names via innerHTML without HTML escaping when processing renamenotebook WebSocket events. The desktop version (Files.ts) properly uses escapeHtml() for the same…

more

operation. An authenticated user who can rename notebooks can inject arbitrary HTML/JavaScript that executes on any mobile client viewing the file tree. Since Electron is configured with nodeIntegration: true and contextIsolation: false, the injected JavaScript has full Node.js access, escalating stored XSS to full remote code execution. The mobile layout is also used in the Electron desktop app when the window is narrow, making this exploitable on desktop as well. This issue has been fixed in version 3.6.1.

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match
prevent

Mandates filtering and encoding of information like notebook names prior to rendering via innerHTML, directly preventing the stored XSS injection from executing malicious HTML/JavaScript.

SI-10 Information Input Validation good match
prevent

Requires validation of inputs from renamenotebook WebSocket events to block or sanitize arbitrary HTML/JavaScript payloads before storage.

SI-2 Flaw Remediation good match
prevent

Ensures timely identification, reporting, and patching of flaws like the unescaped rendering in MobileFiles.ts, as demonstrated by the fix in version 3.6.1.

Security SummaryAI

CVE-2026-32751 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting SiYuan, a personal knowledge management system, in versions 3.6.0 and prior. The issue resides in the mobile file tree component (MobileFiles.ts), which renders notebook names using innerHTML without HTML escaping during processing of renamenotebook WebSocket events. In contrast, the desktop version (Files.ts) correctly applies escapeHtml(). The vulnerability carries a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).

An authenticated attacker with permission to rename notebooks can inject arbitrary HTML and JavaScript into notebook names. This payload executes as stored XSS on any mobile client viewing the affected file tree. Due to the Electron application's configuration with nodeIntegration enabled and contextIsolation disabled, the injected JavaScript gains full Node.js access, enabling remote code execution. The mobile layout activates in the Electron desktop app on narrow windows, extending exploitability to desktop environments.

The vulnerability has been addressed in SiYuan version 3.6.1. Relevant resources include the fixing commit at https://github.com/siyuan-note/siyuan/commit/f6d35103f774b65e52f03e018649ff0e57924fb0, the release notes at https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1, and the security advisory at https://github.com/siyuan-note/siyuan/security/advisories/GHSA-qr46-rcv3-4hq3, which recommend upgrading to the patched version for mitigation.

Details

CWE(s)
CWE-79

Affected Products

b3log
siyuan
≤ 3.6.1

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
Why these techniques?

The stored XSS vulnerability allows arbitrary JavaScript injection in an Electron app with nodeIntegration enabled, directly enabling remote code execution via client-side exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References