CVE-2026-34449 - Vulnerability Analysis
CriticalCVSS: 9.6Last Updated: April 1, 2026
SiYuan - Remote Code Execution
Overview
SiYuan < 3.6.2 contains a remote code execution caused by permissive CORS policy allowing JavaScript injection via API, letting remote attackers execute code in Electron's Node.js context with full OS access, exploit requires user to visit malicious website while SiYuan is running.
Severity & Score
Impact
Remote attackers can execute arbitrary code with full OS access, leading to complete system compromise.
Mitigation
Update to version 3.6.2 or later.
References
Social Media Activity(2 posts)
š“ CVE-2026-34449 - Critical (9.6) SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Execution (RCE) on any desktop running SiYuan by exploiting the permissive CORS policy (Access-Control-Allow-Origin: * + Access-C... š https://www.thehackerwire.com/vulnerability/CVE-2026-34449/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
šØ CVE-2026-34449: CRITICAL RCE in SiYuan (<3.6.2) via permissive CORS. Visiting a malicious site while SiYuan runs allows OS-level code exec. Patch to 3.6.2+ ASAP! https://radar.offseq.com/threat/cve-2026-34449-cwe-942-permissive-cross-domain-pol-0cb7b35e #OffSeq #SiYuan #CVE202634449 #RCE #InfoSec
View original postRelated Resources
Details
- CVE ID
- CVE-2026-34449
- Severity
- Critical
- CVSS Score
- 9.6
- Type
- remote_code_execution
- Status
- unconfirmed
- EPSS
- 14.5%
- Social Posts
- 2
CWE
- CWE-942
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H