{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32751", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T18:53:03.532Z", "datePublished": "2026-03-19T21:11:59.435Z", "dateUpdated": "2026-03-24T01:42:28.407Z"}, "containers": {"cna": {"title": "SiYuan Vulnerable to Remote Code Execution via Stored XSS in Notebook Name - Mobile Interface", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-qr46-rcv3-4hq3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-qr46-rcv3-4hq3"}, {"name": "https://github.com/siyuan-note/siyuan/commit/f6d35103f774b65e52f03e018649ff0e57924fb0", "tags": ["x_refsource_MISC"], "url": "https://github.com/siyuan-note/siyuan/commit/f6d35103f774b65e52f03e018649ff0e57924fb0"}, {"name": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1"}], "affected": [{"vendor": "siyuan-note", "product": "siyuan", "versions": [{"version": "< 3.6.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T21:11:59.435Z"}, "descriptions": [{"lang": "en", "value": "SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the mobile file tree (MobileFiles.ts) renders notebook names via innerHTML without HTML escaping when processing renamenotebook WebSocket events. The desktop version (Files.ts) properly uses escapeHtml() for the same operation. An authenticated user who can rename notebooks can inject arbitrary HTML/JavaScript that executes on any mobile client viewing the file tree. Since Electron is configured with nodeIntegration: true and contextIsolation: false, the injected JavaScript has full Node.js access, escalating stored XSS to full remote code execution. The mobile layout is also used in the Electron desktop app when the window is narrow, making this exploitable on desktop as well. This issue has been fixed in version 3.6.1."}], "source": {"advisory": "GHSA-qr46-rcv3-4hq3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T01:41:41.421383Z", "id": "CVE-2026-32751", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T01:42:28.407Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32751", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T01:41:41.421383Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T01:42:24.040Z"}}], "cna": {"title": "SiYuan Vulnerable to Remote Code Execution via Stored XSS in Notebook Name - Mobile Interface", "source": {"advisory": "GHSA-qr46-rcv3-4hq3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "siyuan-note", "product": "siyuan", "versions": [{"status": "affected", "version": "< 3.6.1"}]}], "references": [{"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-qr46-rcv3-4hq3", "name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-qr46-rcv3-4hq3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/siyuan-note/siyuan/commit/f6d35103f774b65e52f03e018649ff0e57924fb0", "name": "https://github.com/siyuan-note/siyuan/commit/f6d35103f774b65e52f03e018649ff0e57924fb0", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1", "name": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the mobile file tree (MobileFiles.ts) renders notebook names via innerHTML without HTML escaping when processing renamenotebook WebSocket events. The desktop version (Files.ts) properly uses escapeHtml() for the same operation. An authenticated user who can rename notebooks can inject arbitrary HTML/JavaScript that executes on any mobile client viewing the file tree. Since Electron is configured with nodeIntegration: true and contextIsolation: false, the injected JavaScript has full Node.js access, escalating stored XSS to full remote code execution. The mobile layout is also used in the Electron desktop app when the window is narrow, making this exploitable on desktop as well. This issue has been fixed in version 3.6.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T21:11:59.435Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32751", "state": "PUBLISHED", "dateUpdated": "2026-03-24T01:42:28.407Z", "dateReserved": "2026-03-13T18:53:03.532Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T21:11:59.435Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*", "matchCriteriaId": "E1AA6470-222A-4841-A487-DF65F9859780", "versionEndExcluding": "3.6.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the mobile file tree (MobileFiles.ts) renders notebook names via innerHTML without HTML escaping when processing renamenotebook WebSocket events. The desktop version (Files.ts) properly uses escapeHtml() for the same operation. An authenticated user who can rename notebooks can inject arbitrary HTML/JavaScript that executes on any mobile client viewing the file tree. Since Electron is configured with nodeIntegration: true and contextIsolation: false, the injected JavaScript has full Node.js access, escalating stored XSS to full remote code execution. The mobile layout is also used in the Electron desktop app when the window is narrow, making this exploitable on desktop as well. This issue has been fixed in version 3.6.1."}, {"lang": "es", "value": "SiYuan es un sistema de gesti\u00f3n de conocimiento personal. En las versiones 3.6.0 e inferiores, el \u00e1rbol de archivos m\u00f3vil (MobileFiles.ts) renderiza los nombres de los cuadernos a trav\u00e9s de innerHTML sin escape HTML al procesar eventos WebSocket de renamenotebook. La versi\u00f3n de escritorio (Files.ts) utiliza correctamente escapeHtml() para la misma operaci\u00f3n. Un usuario autenticado que puede renombrar cuadernos puede inyectar HTML/JavaScript arbitrario que se ejecuta en cualquier cliente m\u00f3vil que visualice el \u00e1rbol de archivos. Dado que Electron est\u00e1 configurado con nodeIntegration: true y contextIsolation: false, el JavaScript inyectado tiene acceso completo a Node.js, escalando el XSS almacenado a ejecuci\u00f3n remota de c\u00f3digo completa. El dise\u00f1o m\u00f3vil tambi\u00e9n se utiliza en la aplicaci\u00f3n de escritorio de Electron cuando la ventana es estrecha, lo que hace que esto sea explotable tambi\u00e9n en el escritorio. Este problema ha sido solucionado en la versi\u00f3n 3.6.1."}], "id": "CVE-2026-32751", "lastModified": "2026-03-23T18:16:01.297", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T22:16:41.490", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/siyuan-note/siyuan/commit/f6d35103f774b65e52f03e018649ff0e57924fb0"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-qr46-rcv3-4hq3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.6.1)"}}], "enrichment": {"confidence": 84.0, "confidence_source": "matching", "scores": [{"score": 84.0, "source": "matching"}]}, "original": {"product": "siyuan", "source": "cna", "vendor": "siyuan-note"}, "product": "siyuan", "vendor": "siyuan"}], "analysis": {"en": {"generated_at": "2026-03-19T22:22:00.867557+00:00", "value": {"mitigation_remediation": ["Update SiYuan to version 3.6.1 or later, which contains the fix for rendering notebook names."], "summary": {"action": "Patch Now", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw exists in the SiYuan personal knowledge management system for all versions up to and including 3.6.0. The affected components are the mobile file tree (MobileFiles.ts) and the narrow\u2011window desktop representation of the file tree. The issue has been fixed in SiYuan version 3.6.1, as indicated in the official release notes and commit history.", "description_and_impact": "SiYuan versions 3.6.0 and earlier render notebook names in the mobile file tree using innerHTML without escaping. An authenticated user who can rename a notebook can therefore inject arbitrary HTML or JavaScript. Because the Electron renderer is configured with nodeIntegration enabled and contextIsolation disabled, the injected script runs with full Node.js privileges on any mobile client viewing the file tree, elevating a stored cross-site scripting flaw to complete remote code execution. The mobile layout is also used on the desktop Electron app when the window is narrow, so the same flaw can be exploited in the desktop environment as well. The vulnerability is a classic Stored XSS (CWE-79) that can compromise the confidentiality, integrity, and availability of the affected system.", "risk_and_exploitability": "The CVSS score for this vulnerability is 5.1, indicating a medium severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated user who has permission to rename notebooks, making it a privilege\u2011based attack. Once the malicious notebook name is injected and viewed by a client, the compromised code executes with elevated Node.js privileges, potentially allowing unrestricted system access. The describable attack vector is a stored XSS that escalates to remote code execution due to Electron configuration. Given the medium CVSS and the high impact of full Node access, the risk is considered significant for environments where notebook rename rights are granted to users."}}}}, "created": "2026-03-20T08:55:51.651892+00:00", "updated": "2026-03-20T11:06:02.274217+00:00", "vendors": ["siyuan", "siyuan$PRODUCT$siyuan"]}