Home / Vulnerability Intelligence / CVE-2026-34448

CVE-2026-34448 - Vulnerability Analysis

CriticalCVSS: 9.0

Last Updated: April 1, 2026

SiYuan - Stored XSS

Published: March 31, 2026Updated: April 1, 2026Remote Exploitable

Overview

SiYuan < 3.6.2 contains a stored XSS caused by improper sanitization of URLs in Attribute View mAsse field, letting attackers execute arbitrary OS commands via Electron client, exploit requires victim to open specific views with 'Cover From -> Asset Field' enabled.

Severity & Score

Severity: Critical

CVSS Score: 9.0

EPSS Score: 4.9%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary OS commands on victim's machine, leading to full system compromise under victim's account.

Mitigation

Update to version 3.6.2 or later.

References

Social Media Activity(2 posts)

TheHackerWire

@thehackerwire

Apr 1, 2026

🔴 CVE-2026-34448 - Critical (9) SiYuan is a personal knowledge management system. Prior to version 3.6.2, an attacker who can place a malicious URL in an Attribute View mAsse field can trigger stored XSS when a victim opens the Gallery or Kanban view with “Cover From -> Asset ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-34448/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Offensive Sequence

@offseq

Apr 1, 2026

🚨 CRITICAL alert: CVE-2026-34448 in SiYuan (<3.6.2) enables stored XSS, escalating to OS command execution via unsafe Electron configs. Patch to 3.6.2+ & tighten app security! Details: https://radar.offseq.com/threat/cve-2026-34448-cwe-79-improper-neutralization-of-i-36bc82a3 #OffSeq #SiYuan #CVE202634448 #XSS #infosec

View original post

Related Resources

Details

CVE ID: CVE-2026-34448
Severity: Critical
CVSS Score: 9.0
Type: stored_xss
Status: unconfirmed
EPSS: 4.9%
Social Posts: 2

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS Score

4.9%Probability of exploitation in the next 30 days