{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-34449/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.6,"id":"CVE-2026-34449"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-34449","rce","siyuan","cors"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSiYuan is a personal knowledge management system. Versions prior to 3.6.2 contain a critical vulnerability (CVE-2026-34449) that allows a malicious website to execute arbitrary code on any desktop running the application. This is achieved by exploiting an overly permissive Cross-Origin Resource Sharing (CORS) policy (\u0026ldquo;Access-Control-Allow-Origin: *\u0026rdquo; combined with \u0026ldquo;Access-Control-Allow-Private-Network: true\u0026rdquo;). An attacker can inject a JavaScript snippet into the application via its API. This injected code then executes in the context of Electron\u0026rsquo;s Node.js environment, granting the attacker full operating system access. The vulnerability is triggered simply by a user visiting a malicious website while SiYuan is running. The issue has been addressed and patched in version 3.6.2 of SiYuan. This RCE can allow attackers to steal data, install malware, or perform other malicious activities on the victim\u0026rsquo;s machine.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eVictim launches the SiYuan application on their desktop (Windows, Linux, or macOS).\u003c/li\u003e\n\u003cli\u003eVictim visits a malicious website in a web browser while SiYuan is running.\u003c/li\u003e\n\u003cli\u003eThe malicious website leverages the permissive CORS policy of SiYuan.\u003c/li\u003e\n\u003cli\u003eThe malicious website sends an API request to the running SiYuan instance.\u003c/li\u003e\n\u003cli\u003eThis API request injects a malicious JavaScript payload into SiYuan.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript code is stored within SiYuan\u0026rsquo;s data.\u003c/li\u003e\n\u003cli\u003eThe next time the user opens SiYuan\u0026rsquo;s UI, the injected JavaScript code executes within Electron\u0026rsquo;s Node.js context.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full OS access and can perform arbitrary actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34449 allows for complete compromise of the user\u0026rsquo;s system. The attacker can steal sensitive data, install persistent backdoors, or deploy ransomware. Given SiYuan\u0026rsquo;s purpose as a knowledge management system, it likely holds valuable and sensitive personal or business information. The impact is significant due to the ease of exploitation requiring no user interaction beyond visiting a malicious website.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade SiYuan to version 3.6.2 or later to patch CVE-2026-34449.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for unusual API requests originating from web browsers, as this could indicate exploitation attempts. Deploy the Sigma rule \u003ccode\u003etitle: \u0026quot;Detect Suspicious SiYuan API Access from Web Browser\u0026quot;\u003c/code\u003e to detect this behavior.\u003c/li\u003e\n\u003cli\u003eImplement strict CORS policies for web applications to prevent unauthorized cross-origin requests.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging and monitor for unexpected processes spawned from SiYuan, as this could be a sign of successful RCE. Deploy the Sigma rule \u003ccode\u003etitle: \u0026quot;Detect Processes Spawned from SiYuan Indicating RCE\u0026quot;\u003c/code\u003e to detect this.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T22:17:16Z","date_published":"2026-03-31T22:17:16Z","id":"/briefs/2026-04-siyuan-rce/","summary":"SiYuan versions prior to 3.6.2 are vulnerable to remote code execution (RCE) via a malicious website exploiting a permissive CORS policy to inject a JavaScript snippet, leading to arbitrary code execution within the application's Node.js context.","title":"SiYuan Knowledge Management System RCE via Malicious Website","url":"https://feed.craftedsignal.io/briefs/2026-04-siyuan-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-34449","version":"https://jsonfeed.org/version/1.1"}