Home / Vulnerability Intelligence / CVE-2026-34449

CVE-2026-34449 - Vulnerability Analysis

CriticalCVSS: 9.6

Last Updated: March 31, 2026

SiYuan - Remote Code Execution

Published: March 31, 2026Updated: March 31, 2026Remote Exploitable

Overview

SiYuan < 3.6.2 contains a remote code execution caused by permissive CORS policy allowing JavaScript injection via API, letting remote attackers execute code in Electron's Node.js context with full OS access, exploit requires user to visit malicious website while SiYuan is running.

Severity & Score

Severity: Critical

CVSS Score: 9.6

Impact

Remote attackers can execute arbitrary code with full OS access, leading to complete system compromise.

Mitigation

Update to version 3.6.2 or later.

References

https://github.com/siyuan-note/siyuan/issues/17246
https://github.com/siyuan-note/siyuan/releases/tag/v3.6.2
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-68p4-j234-43mv

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-34449
Severity: Critical
CVSS Score: 9.6
Type: remote_code_execution
Status: new

CWE

CWE-942

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H