Home / Vulnerability Intelligence / CVE-2026-34448

CVE-2026-34448 - Vulnerability Analysis

CriticalCVSS: 9.0

Last Updated: March 31, 2026

SiYuan - Stored XSS

Published: March 31, 2026Updated: March 31, 2026Remote Exploitable

Overview

SiYuan < 3.6.2 contains a stored XSS caused by improper sanitization of URLs in Attribute View mAsse field, letting attackers execute arbitrary OS commands via Electron client, exploit requires victim to open specific views with 'Cover From -> Asset Field' enabled.

Severity & Score

Severity: Critical

CVSS Score: 9.0

Impact

Attackers can execute arbitrary OS commands on victim's machine, leading to full system compromise under victim's account.

Mitigation

Update to version 3.6.2 or later.

References

https://github.com/siyuan-note/siyuan/issues/17246
https://github.com/siyuan-note/siyuan/releases/tag/v3.6.2
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-rx4h-526q-4458

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-34448
Severity: Critical
CVSS Score: 9.0
Type: stored_xss
Status: new

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H