CVE-2026-32751

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the mobile file tree (MobileFiles.ts) renders notebook names via innerHTML without HTML escaping when processing renamenotebook WebSocket events. The desktop version (Files.ts) properly uses escapeHtml() for the same operation. An authenticated user who can rename notebooks can inject arbitrary HTML/JavaScript that executes on any mobile client viewing the file tree. Since Electron is configured with nodeIntegration: true and contextIsolation: false, the injected JavaScript has full Node.js access, escalating stored XSS to full remote code execution. The mobile layout is also used in the Electron desktop app when the window is narrow, making this exploitable on desktop as well. This issue has been fixed in version 3.6.1.

CVSS v3 9.0 CRITICAL

9.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/siyuan-note/siyuan/commit/f6d35103f774b65e52f03e018649ff0e57924fb0	Patch
https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1	Release Notes
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-qr46-rcv3-4hq3	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-19 22:16

Updated : 2026-03-23 18:16

NVD link : CVE-2026-32751

Mitre link : CVE-2026-32751

CVE.ORG link : CVE-2026-32751

JSON object : View

Products Affected

b3log

siyuan

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-32751", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-19T22:16:41.490", "references": [{"url": "https://github.com/siyuan-note/siyuan/commit/f6d35103f774b65e52f03e018649ff0e57924fb0", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-qr46-rcv3-4hq3", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the mobile file tree (MobileFiles.ts) renders notebook names via innerHTML without HTML escaping when processing renamenotebook WebSocket events. The desktop version (Files.ts) properly uses escapeHtml() for the same operation. An authenticated user who can rename notebooks can inject arbitrary HTML/JavaScript that executes on any mobile client viewing the file tree. Since Electron is configured with nodeIntegration: true and contextIsolation: false, the injected JavaScript has full Node.js access, escalating stored XSS to full remote code execution. The mobile layout is also used in the Electron desktop app when the window is narrow, making this exploitable on desktop as well. This issue has been fixed in version 3.6.1."}, {"lang": "es", "value": "SiYuan es un sistema de gesti\u00f3n de conocimiento personal. En las versiones 3.6.0 e inferiores, el \u00e1rbol de archivos m\u00f3vil (MobileFiles.ts) renderiza los nombres de los cuadernos a trav\u00e9s de innerHTML sin escape HTML al procesar eventos WebSocket de renamenotebook. La versi\u00f3n de escritorio (Files.ts) utiliza correctamente escapeHtml() para la misma operaci\u00f3n. Un usuario autenticado que puede renombrar cuadernos puede inyectar HTML/JavaScript arbitrario que se ejecuta en cualquier cliente m\u00f3vil que visualice el \u00e1rbol de archivos. Dado que Electron est\u00e1 configurado con nodeIntegration: true y contextIsolation: false, el JavaScript inyectado tiene acceso completo a Node.js, escalando el XSS almacenado a ejecuci\u00f3n remota de c\u00f3digo completa. El dise\u00f1o m\u00f3vil tambi\u00e9n se utiliza en la aplicaci\u00f3n de escritorio de Electron cuando la ventana es estrecha, lo que hace que esto sea explotable tambi\u00e9n en el escritorio. Este problema ha sido solucionado en la versi\u00f3n 3.6.1."}], "lastModified": "2026-03-23T18:16:01.297", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E1AA6470-222A-4841-A487-DF65F9859780", "versionEndExcluding": "3.6.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}