CVE-2026-34448

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-34448

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34448.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-34448

Aliases

GHSA-rx4h-526q-4458

Published

2026-03-31T21:44:36.504Z

Modified

2026-04-02T13:30:37.898374Z

Severity

9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

SiYuan: Stored XSS in Attribute View gallery/kanban cover rendering allows arbitrary command execution in the desktop client

Details

SiYuan is a personal knowledge management system. Prior to version 3.6.2, an attacker who can place a malicious URL in an Attribute View mAsse field can trigger stored XSS when a victim opens the Gallery or Kanban view with “Cover From -> Asset Field” enabled. The vulnerable code accepts arbitrary http(s) URLs without extensions as images, stores the attacker-controlled string in coverURL, and injects it directly into an <img src="..."> attribute without escaping. In the Electron desktop client, the injected JavaScript executes with nodeIntegration enabled and contextIsolation disabled, so the XSS reaches arbitrary OS command execution under the victim’s account. This issue has been patched in version 3.6.2.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34448.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79",
        "CWE-94"
    ]
}

References

Affected packages

Git / github.com/siyuan-note/siyuan

Affected ranges

Type

GIT

Repo

https://github.com/siyuan-note/siyuan

Events

Introduced

Fixed

29b104f338f9b0cdda0df852871a09a6268ced2f

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.6.2"
        }
    ]
}

Affected versions

dev2.*

dev2.0.17-1

dev2.0.17-2

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.1.4

v0.1.5

v0.1.6

v0.1.7

v0.1.8

v0.1.9

v0.2.0

v0.2.1

v0.2.2

v0.2.3

v0.2.4

v0.2.5

v0.2.6

v0.2.7

v0.2.8

v0.2.9

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.3.4

v0.3.5

v0.3.6

v0.3.7

v0.3.8

v0.3.9

v0.4.0

v0.4.1

v0.4.1-x2

v0.4.2

v0.4.3

v0.4.3-x1

v0.4.32

v0.4.4

v0.4.5

v0.4.6

v0.4.7

v0.4.8

v0.4.9

v0.4.91

v0.4.92

v0.4.93

v0.4.94

v0.5.0

v0.5.1

v0.5.2

v0.5.3

v0.5.4

v0.5.41

v0.5.42

v0.5.43

v0.5.44

v0.5.45

v0.5.46

v0.5.5

v0.5.6

v0.5.6-alpha1

v0.5.7

v0.5.8

v0.5.9

v0.6.0

v0.6.1

v0.6.2

v0.6.3

v0.6.4

v0.6.5

v0.6.6

v0.6.7

v0.6.8

v0.7.0

v0.7.1

v0.7.5

v0.7.8

v0.8.0

v0.8.5

v0.9.0

v0.9.2

v0.9.5

v0.9.6

v0.9.7

v0.9.8

v0.9.9

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.0.6

v1.0.7

v1.0.8

v1.0.9

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.1.4

v1.1.5

v1.1.6

v1.1.7

v1.1.8

v1.1.81

v1.1.82

v1.1.83

v1.2.0

v1.2.0-beta1

v1.2.0-beta10

v1.2.0-beta11

v1.2.0-beta12

v1.2.0-beta13

v1.2.0-beta14

v1.2.0-beta15

v1.2.0-beta16

v1.2.0-beta2

v1.2.0-beta3

v1.2.0-beta4

v1.2.0-beta5

v1.2.0-beta6

v1.2.0-beta7

v1.2.0-beta8

v1.2.0-beta9

v1.2.0-rc1

v1.2.0-rc2

v1.2.0-rc3

v1.2.1

v1.2.2

v1.2.3

v1.2.31

v1.2.5

v1.2.6

v1.2.7

v1.2.8

v1.2.9

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.3.5

v1.3.6

v1.3.7

v1.3.8

v1.3.9

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.4.6

v1.4.7

v1.4.8

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.5.5

v1.5.5-beta1

v1.5.5-beta2

v1.5.5-beta3

v1.5.6

v1.6.0

v1.6.1

v1.6.2

v1.6.3

v1.7.0

v1.7.1

v1.7.10

v1.7.11

v1.7.2

v1.7.3

v1.7.4

v1.7.5

v1.7.6

v1.7.7

v1.7.8

v1.7.9

v1.8.0

v1.8.1

v1.8.2

v1.8.4

v1.8.5

v1.8.6

v1.8.7

v1.8.8

v1.8.9

v1.9.0

v1.9.1

v1.9.2

v1.9.3

v1.9.4

v1.9.5

v1.9.6

v1.9.7

v1.9.8

v1.9.9

v2.*

v2.0.0

v2.0.0-beta1

v2.0.0-beta2

v2.0.1

v2.0.10

v2.0.11

v2.0.12

v2.0.13

v2.0.14

v2.0.15

v2.0.15-dev1

v2.0.16

v2.0.17

v2.0.18

v2.0.19

v2.0.2

v2.0.20

v2.0.20-dev1

v2.0.21

v2.0.21-dev1

v2.0.22

v2.0.23

v2.0.24

v2.0.25

v2.0.26

v2.0.26-dev1

v2.0.26-dev2

v2.0.27

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.0.7

v2.0.8

v2.0.9

v2.1.0

v2.1.0-dev1

v2.1.1

v2.1.10

v2.1.11

v2.1.12

v2.1.13

v2.1.14

v2.1.2

v2.1.3

v2.1.3-dev1

v2.1.4

v2.1.5

v2.1.6

v2.1.6-dev1

v2.1.7

v2.1.8

v2.1.8-dev1

v2.1.9

v2.10.0

v2.10.1

v2.10.1-dev1

v2.10.10

v2.10.10-dev1

v2.10.11

v2.10.11-dev1

v2.10.11-dev2

v2.10.11-dev3

v2.10.12

v2.10.12-dev1

v2.10.12-dev2

v2.10.13

v2.10.13-dev1

v2.10.13-dev2

v2.10.13-dev3

v2.10.13-dev4

v2.10.13-dev5

v2.10.14

v2.10.14-dev1

v2.10.14-dev2

v2.10.15

v2.10.15-dev1

v2.10.15-dev2

v2.10.15-dev3

v2.10.16

v2.10.16-dev1

v2.10.16-dev2

v2.10.16-dev3

v2.10.2

v2.10.2-dev1

v2.10.3

v2.10.3-dev1

v2.10.3-dev2

v2.10.3-dev3

v2.10.4

v2.10.4-dev1

v2.10.4-dev2

v2.10.4-dev3

v2.10.5

v2.10.5-dev1

v2.10.5-dev2

v2.10.6

v2.10.6-dev1

v2.10.6-dev2

v2.10.6-dev3

v2.10.6-dev4

v2.10.7

v2.10.8

v2.10.8-dev1

v2.10.8-dev2

v2.10.8-dev3

v2.10.9

v2.10.9-dev1

v2.10.9-dev2

v2.10.9-dev3

v2.10.9-dev4

v2.10.9-dev5

v2.11.0

v2.11.0-dev1

v2.11.0-dev2

v2.11.0-dev3

v2.11.1

v2.11.1-dev1

v2.11.1-dev2

v2.11.1-dev3

v2.11.2

v2.11.2-dev1

v2.11.2-dev2

v2.11.2-dev3

v2.11.2-dev4

v2.11.2-dev5

v2.11.2-dev6

v2.11.3

v2.11.3-dev1

v2.11.3-dev2

v2.11.4

v2.11.4-dev1

v2.11.4-dev2

v2.11.4-dev3

v2.11.4-dev4

v2.11.4-dev5

v2.11.4-dev6

v2.12.0

v2.12.0-dev1

v2.12.1

v2.12.1-dev1

v2.12.1-dev2

v2.12.1-dev3

v2.12.2

v2.12.3

v2.12.3-dev1

v2.12.3-dev2

v2.12.3-dev3

v2.12.4

v2.12.4-dev1

v2.12.4-dev2

v2.12.5

v2.12.6

v2.12.6-dev1

v2.12.7

v2.12.7-dev1

v2.12.7-dev2

v2.12.8

v2.12.8-dev1

v2.12.8-dev2

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.3.0

v2.3.1

v2.3.2

v2.3.3

v2.4.0

v2.4.1

v2.4.10

v2.4.11

v2.4.12

v2.4.12-dev1

v2.4.12-dev2

v2.4.2

v2.4.3

v2.4.4

v2.4.5

v2.4.6

v2.4.7

v2.4.8

v2.4.9

v2.5.0

v2.5.0-dev1

v2.5.0-dev2

v2.5.1

v2.5.1-dev1

v2.5.1-dev2

v2.5.1-dev3

v2.5.1-dev4

v2.5.1-dev5

v2.5.2

v2.5.2-dev1

v2.5.2-dev2

v2.5.2-dev3

v2.5.3

v2.5.3-dev1

v2.5.3-dev2

v2.5.4

v2.5.4-dev1

v2.5.4-dev2

v2.5.5

v2.5.5-dev1

v2.6.0

v2.6.0-dev1

v2.6.0-dev2

v2.6.0-dev3

v2.6.1

v2.6.1-dev1

v2.6.1-dev2

v2.6.1-dev3

v2.6.1-dev4

v2.6.1-dev5

v2.6.1-dev6

v2.6.1-dev7

v2.6.2

v2.6.3

v2.6.3-dev1

v2.6.3-dev2

v2.6.3-dev3

v2.6.3-dev4

v2.6.3-dev5

v2.6.3-dev6

v2.7.0

v2.7.0-dev1

v2.7.0-dev2

v2.7.1

v2.7.1-dev1

v2.7.1-dev2

v2.7.1-dev3

v2.7.1-dev4

v2.7.1-dev5

v2.7.10

v2.7.2

v2.7.2-dev1

v2.7.2-dev2

v2.7.2-dev3

v2.7.3

v2.7.3-dev1

v2.7.3-dev2

v2.7.3-dev3

v2.7.3-dev4

v2.7.4

v2.7.4-dev1

v2.7.5

v2.7.5-dev1

v2.7.5-dev2

v2.7.6

v2.7.6-dev1

v2.7.6-dev2

v2.7.6-dev3

v2.7.6-dev4

v2.7.6-dev5

v2.7.7

v2.7.7-dev1

v2.7.7-dev2

v2.7.7-dev3

v2.7.7-dev4

v2.7.8

v2.7.8-dev1

v2.7.9

v2.7.9-dev1

v2.7.9-dev2

v2.8.0

v2.8.0-dev1

v2.8.0-dev2

v2.8.0-dev3

v2.8.1

v2.8.1-dev1

v2.8.1-dev2

v2.8.1-dev3

v2.8.10

v2.8.10-dev1

v2.8.10-dev2

v2.8.10-dev3

v2.8.10-dev4

v2.8.10-dev5

v2.8.2

v2.8.2-dev1

v2.8.2-dev2

v2.8.3

v2.8.3-dev1

v2.8.4

v2.8.4-dev1

v2.8.4-dev2

v2.8.5

v2.8.5-dev1

v2.8.5-dev2

v2.8.5-dev3

v2.8.6

v2.8.6-dev1

v2.8.6-dev2

v2.8.6-dev3

v2.8.6-dev4

v2.8.7

v2.8.7-dev1

v2.8.7-dev2

v2.8.7-dev3

v2.8.7-dev4

v2.8.7-dev5

v2.8.8

v2.8.8-dev1

v2.8.8-dev2

v2.8.8-dev3

v2.8.9

v2.8.9-dev1

v2.8.9-dev2

v2.8.9-dev3

v2.9.0

v2.9.0-dev1

v2.9.0-dev2

v2.9.1

v2.9.1-dev1

v2.9.1-dev2

v2.9.2

v2.9.2-dev1

v2.9.2-dev2

v2.9.2-dev3

v2.9.3

v2.9.3-dev1

v2.9.3-dev2

v2.9.3-dev3

v2.9.3-dev4

v2.9.4

v2.9.4-dev1

v2.9.4-dev2

v2.9.5

v2.9.5-dev1

v2.9.5-dev2

v2.9.6

v2.9.6-dev1

v2.9.7

v2.9.7-dev1

v2.9.7-dev2

v2.9.7-dev3

v2.9.8

v2.9.8-dev1

v2.9.8-dev2

v2.9.9

v2.9.9-dev1

v2.9.9-dev2

Other

v202205311650-dev

v3.*

v3.0.0

v3.0.0-dev1

v3.0.0-dev2

v3.0.1

v3.0.1-dev1

v3.0.1-dev2

v3.0.10

v3.0.10-dev1

v3.0.10-dev2

v3.0.10-dev3

v3.0.10-dev4

v3.0.10-dev5

v3.0.11

v3.0.11-dev1

v3.0.11-dev2

v3.0.11-dev3

v3.0.12

v3.0.12-dev1

v3.0.12-dev2

v3.0.12-dev3

v3.0.12-dev4

v3.0.12-dev5

v3.0.13

v3.0.13-dev1

v3.0.13-dev2

v3.0.13-dev3

v3.0.13-dev4

v3.0.14

v3.0.14-dev1

v3.0.14-dev2

v3.0.15

v3.0.15-dev1

v3.0.15-dev2

v3.0.16

v3.0.16-dev1

v3.0.16-dev2

v3.0.16-dev3

v3.0.17

v3.0.17-dev1

v3.0.17-dev2

v3.0.2

v3.0.2-dev1

v3.0.2-dev2

v3.0.3

v3.0.3-dev1

v3.0.3-dev2

v3.0.3-dev3

v3.0.3-dev4

v3.0.3-dev5

v3.0.3-dev6

v3.0.3-dev7

v3.0.4

v3.0.4-dev1

v3.0.4-dev2

v3.0.4-dev3

v3.0.5

v3.0.5-dev1

v3.0.5-dev2

v3.0.5-dev3

v3.0.5-dev4

v3.0.5-dev5

v3.0.6

v3.0.6-dev1

v3.0.6-dev2

v3.0.6-dev3

v3.0.7

v3.0.7-dev1

v3.0.8

v3.0.8-dev1

v3.0.8-dev2

v3.0.9

v3.1.0

v3.1.0-dev1

v3.1.0-dev10

v3.1.0-dev11

v3.1.0-dev12

v3.1.0-dev2

v3.1.0-dev3

v3.1.0-dev4

v3.1.0-dev5

v3.1.0-dev6

v3.1.0-dev7

v3.1.0-dev8

v3.1.0-dev9

v3.1.1

v3.1.1-dev1

v3.1.1-dev2

v3.1.10

v3.1.10-dev1

v3.1.10-dev2

v3.1.10-dev3

v3.1.10-dev4

v3.1.10-dev5

v3.1.10-dev6

v3.1.11

v3.1.11-dev1

v3.1.11-dev10

v3.1.11-dev11

v3.1.11-dev2

v3.1.11-dev3

v3.1.11-dev4

v3.1.11-dev5

v3.1.11-dev6

v3.1.11-dev7

v3.1.11-dev8

v3.1.11-dev9

v3.1.12

v3.1.12-dev1

v3.1.12-dev2

v3.1.12-dev3

v3.1.12-dev4

v3.1.12-dev5

v3.1.12-dev6

v3.1.13

v3.1.14

v3.1.14-dev1

v3.1.14-dev2

v3.1.14-dev3

v3.1.14-dev4

v3.1.14-dev5

v3.1.14-dev6

v3.1.14-dev7

v3.1.15

v3.1.15-dev1

v3.1.15-dev2

v3.1.15-dev3

v3.1.16

v3.1.16-dev1

v3.1.16-dev2

v3.1.17

v3.1.17-dev1

v3.1.17-dev2

v3.1.18

v3.1.18-dev1

v3.1.18-dev2

v3.1.19

v3.1.19-dev1

v3.1.19-dev2

v3.1.19-dev3

v3.1.2

v3.1.2-dev1

v3.1.2-dev2

v3.1.2-dev3

v3.1.2-dev4

v3.1.20

v3.1.20-dev1

v3.1.20-dev2

v3.1.20-dev3

v3.1.20-dev4

v3.1.21

v3.1.21-dev1

v3.1.21-dev2

v3.1.21-dev3

v3.1.21-dev4

v3.1.22

v3.1.22-dev1

v3.1.22-dev2

v3.1.23

v3.1.23-dev1

v3.1.23-dev2

v3.1.24

v3.1.24-dev1

v3.1.24-dev2

v3.1.24-dev3

v3.1.25

v3.1.25-dev1

v3.1.25-dev2

v3.1.25-dev3

v3.1.25-dev4

v3.1.25-dev5

v3.1.25-dev6

v3.1.26

v3.1.26-dev1

v3.1.26-dev2

v3.1.26-dev3

v3.1.27

v3.1.27-dev1

v3.1.27-dev2

v3.1.27-dev3

v3.1.27-dev4

v3.1.28

v3.1.28-dev1

v3.1.28-dev2

v3.1.28-dev3

v3.1.29

v3.1.29-dev1

v3.1.29-dev2

v3.1.29-dev3

v3.1.29-dev4

v3.1.29-dev5

v3.1.29-dev6

v3.1.29-dev7

v3.1.3

v3.1.3-dev1

v3.1.3-dev2

v3.1.30

v3.1.30-dev1

v3.1.31

v3.1.31-dev1

v3.1.31-dev2

v3.1.32

v3.1.32-dev1

v3.1.32-dev2

v3.1.32-dev3

v3.1.32-dev4

v3.1.32-dev5

v3.1.4

v3.1.4-dev1

v3.1.4-dev2

v3.1.4-dev3

v3.1.4-dev4

v3.1.4-dev5

v3.1.5

v3.1.5-dev1

v3.1.5-dev2

v3.1.6

v3.1.6-dev1

v3.1.6-dev2

v3.1.7

v3.1.7-dev1

v3.1.7-dev2

v3.1.7-dev3

v3.1.7-dev4

v3.1.7-dev5

v3.1.7-dev6

v3.1.7-dev7

v3.1.7-dev8

v3.1.8

v3.1.8-dev1

v3.1.8-dev2

v3.1.8-dev3

v3.1.9

v3.1.9-dev1

v3.1.9-dev10

v3.1.9-dev2

v3.1.9-dev3

v3.1.9-dev4

v3.1.9-dev5

v3.1.9-dev6

v3.1.9-dev7

v3.1.9-dev8

v3.1.9-dev9

v3.2.0

v3.2.0-dev1

v3.2.0-dev10

v3.2.0-dev2

v3.2.0-dev3

v3.2.0-dev4

v3.2.0-dev5

v3.2.0-dev6

v3.2.0-dev7

v3.2.0-dev8

v3.2.0-dev9

v3.2.1

v3.2.1-dev1

v3.2.1-dev2

v3.2.1-dev3

v3.2.1-dev4

v3.2.1-dev5

v3.2.1-dev6

v3.3.0

v3.3.0-dev1

v3.3.0-dev2

v3.3.0-dev3

v3.3.0-dev4

v3.3.0-dev5

v3.3.0-dev6

v3.3.0-dev7

v3.3.1

v3.3.1-dev1

v3.3.2

v3.3.2-dev1

v3.3.2-dev2

v3.3.3

v3.3.3-dev1

v3.3.3-dev2

v3.3.3-dev3

v3.3.3-dev4

v3.3.3-dev5

v3.3.4

v3.3.4-dev1

v3.3.4-dev2

v3.3.5

v3.3.5-dev1

v3.3.6

v3.3.6-dev1

v3.3.6-dev2

v3.4.0

v3.4.0-dev1

v3.4.0-dev2

v3.4.0-dev3

v3.4.0-dev4

v3.4.0-dev5

v3.4.1

v3.4.1-dev1

v3.4.1-dev2

v3.4.2

v3.4.2-dev1

v3.5.0

v3.5.0-dev1

v3.5.0-dev2

v3.5.1

v3.5.1-dev1

v3.5.1-dev2

v3.5.10

v3.5.2

v3.5.2-dev1

v3.5.2-dev2

v3.5.3

v3.5.3-dev1

v3.5.3-dev2

v3.5.3-dev3

v3.5.3-dev4

v3.5.3-dev5

v3.5.3-dev6

v3.5.4

v3.5.4-dev1

v3.5.4-dev2

v3.5.4-dev3

v3.5.4-dev4

v3.5.4-dev5

v3.5.4-dev6

v3.5.5

v3.5.5-dev1

v3.5.5-dev2

v3.5.6

v3.5.6-dev1

v3.5.7

v3.5.8

v3.5.8-dev1

v3.5.8-dev2

v3.5.9

v3.5.9-dev1

v3.5.9-dev2

v3.6.0

v3.6.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34448.json"