SiYuan desktop application is vulnerable to Remote Code Execution via a permissive CORS policy. A malicious website can inject JavaScript into the Ele...
Description
SiYuan desktop application is vulnerable to Remote Code Execution via a permissive CORS policy. A malicious website can inject JavaScript into the Electron Node.js context without user interaction.
AI Analyst Comment
Remediation
Update Unknown Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
---METADATA---
VENDOR: SiYuan
PRODUCT: SiYuan
AFFECTED_VERSIONS: Prior to version 3.6.2
---END_METADATA---
Description Summary:
SiYuan desktop application is vulnerable to Remote Code Execution via a permissive CORS policy. A malicious website can inject JavaScript into the Electron Node.js context without user interaction.
Executive Summary:
SiYuan's permissive CORS policy allows a malicious website to achieve Remote Code Execution on a user's desktop simply by having the victim visit a URL while the application is running.
Vulnerability Details
CVE-ID: CVE-2026-34449
Affected Software: SiYuan
Affected Versions: Prior to version 3.6.2
Vulnerability: The application implements a highly permissive CORS policy (Access-Control-Allow-Origin: *) that allows unauthenticated external websites to interact with its local API. An attacker can use this to inject a malicious JavaScript snippet that executes within the Electron Node.js context the next time the UI is opened.
Business Impact
This vulnerability poses a severe threat to individual workstation security and corporate data privacy. An attacker can gain full OS-level access to the victim's machine, allowing for the theft of sensitive notes, local files, and saved credentials. The CVSS score of 9.6 highlights the critical risk of zero-interaction RCE via a standard web browser.
Remediation Plan
Immediate Action: Update the SiYuan desktop application to version 3.6.2 or later to resolve the CORS policy and API injection flaws.
Proactive Monitoring: Monitor for unexpected outbound network connections from the SiYuan process and inspect local application logs for unauthorized API calls.
Compensating Controls: Utilize endpoint detection and response (EDR) tools to block suspicious child processes spawned by Electron-based applications.
Exploitation Status
Public Exploit Available: No
Analyst Notes: As of March 31, 2026, there is no public information indicating active exploitation. However, the requirement for only a simple website visit makes this a highly attractive target for watering hole attacks.
Analyst Recommendation
Because this vulnerability requires no direct user interaction other than visiting a malicious site, it is a high-priority threat. Administrators should ensure all users update their desktop clients immediately. Failure to patch leaves the local system entirely vulnerable to remote takeover through common web browsing activity.