SiYuan's permissive CORS policy allows a malicious website to achieve Remote Code Execution on a user's desktop simply by having the victim visit a URL while the application is running.

The application implements a highly permissive CORS policy (Access-Control-Allow-Origin: *) that allows unauthenticated external websites to interact with its local API. An attacker can use this to inject a malicious JavaScript snippet that executes within the Electron Node.js context the next time the UI is opened.

This vulnerability poses a severe threat to individual workstation security and corporate data privacy. An attacker can gain full OS-level access to the victim's machine, allowing for the theft of sensitive notes, local files, and saved credentials. The CVSS score of 9.6 highlights the critical risk of zero-interaction RCE via a standard web browser.

Immediate Action: Update the SiYuan desktop application to version 3.6.2 or later to resolve the CORS policy and API injection flaws.

Proactive Monitoring: Monitor for unexpected outbound network connections from the SiYuan process and inspect local application logs for unauthorized API calls.

Compensating Controls: Utilize endpoint detection and response (EDR) tools to block suspicious child processes spawned by Electron-based applications.

Public Exploit Available: No

Because this vulnerability requires no direct user interaction other than visiting a malicious site, it is a high-priority threat. Administrators should ensure all users update their desktop clients immediately. Failure to patch leaves the local system entirely vulnerable to remote takeover through common web browsing activity.