CVE-2026-32751

moderate-risk

Published 2026-03-19

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the mobile file tree (MobileFiles.ts) renders notebook names via innerHTML without HTML escaping when processing renamenotebook WebSocket events. The desktop version (Files.ts) properly uses escapeHtml() for the same operation. An authenticated user who can rename notebooks can inject arbitrary HTML/JavaScript that executes on any mobile client viewing the file tree. Since Electron is configured with nodeIntegration: true and contextIsolation: false, the injected JavaScript has full Node.js access, escalating stored XSS to full remote code execution. The mobile layout is also used in the Electron desktop app when the window is narrow, making this exploitable on desktop as well. This issue has been fixed in version 3.6.1.

Do I need to act?

0.20% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.0/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Siyuan

Affected Vendors

B3Log

References (3)

Patch https://github.com/siyuan-note/siyuan/commit/f6d35103f774b65e52f03e018649ff0e579...

Release Notes https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1

Exploit https://github.com/siyuan-note/siyuan/security/advisories/GHSA-qr46-rcv3-4hq3

/ 100

moderate-risk

Severity 30/34 · Critical

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal