CVE-2026-34449

CVE-2026-34449 is a high-severity remote code execution (RCE) vulnerability affecting SiYuan, an open-source personal knowledge management system built on Electron. In versions prior to 3.6.2, the application exposes a permissive CORS policy (Access-Control-Allow-Origin: * and Access-Control-Allow-Private-Network: true) on its API endpoints. This allows a malicious website to inject arbitrary JavaScript snippets, which persist and execute in Electron's Node.js runtime context—the next time the user interacts with SiYuan's UI—granting attackers full operating system access on the victim's desktop. The vulnerability is tracked under CWE-942 (Permissive Cross-domain Policy with Untrusted Domains) and carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

Any remote attacker controlling a malicious website can exploit this vulnerability without authentication or privileges. The attack requires the victim to visit the attacker's site while SiYuan is running in the background; no additional user interaction is needed beyond that. Upon subsequent opening of SiYuan's UI, the injected JavaScript executes seamlessly in the Node.js context, enabling full RCE. This could allow attackers to steal data, install malware, or perform other arbitrary actions with the privileges of the SiYuan process, typically those of the logged-in user.

The issue has been fully patched in SiYuan version 3.6.2, as detailed in the project's GitHub release notes and security advisory (GHSA-68p4-j234-43mv). Security practitioners should advise users to update immediately to mitigate risk, with further technical details available in the associated GitHub issue (#17246).