Nixpkgs security tracker

Untriaged

Permalink CVE-2026-34585

8.6 HIGH

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 2 weeks, 4 days ago

SiYuan: Stored XSS in imported .sy.zip content leads to arbitrary command execution

SiYuan is a personal knowledge management system. Prior to version 3.6.2, a vulnerability allows crafted block attribute values to bypass server-side attribute escaping when an HTML entity is mixed with raw special characters. An attacker can embed a malicious IAL value inside a .sy document, package it as a .sy.zip, and have the victim import it through the normal Import -> SiYuan .sy.zip workflow. Once the note is opened, the malicious attribute breaks out of its original HTML context and injects an event handler, resulting in stored XSS. In the Electron desktop client, this XSS reaches remote code execution because injected JavaScript runs with access to Node/Electron APIs. This issue has been patched in version 3.6.2.

References

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-ff66-236v-p4fg x_refsource_CONFIRM
https://github.com/siyuan-note/siyuan/issues/17246 x_refsource_MISC
https://github.com/siyuan-note/siyuan/releases/tag/v3.6.2 x_refsource_MISC

Affected products

siyuan

==< 3.6.2

Matching in nixpkgs

pkgs.siyuan

Privacy-first personal knowledge management system that supports complete offline usage, as well as end-to-end encrypted data sync

nixos-unstable 3.6.1
- nixpkgs-unstable 3.6.1
- nixos-unstable-small 3.6.1
nixos-25.11 3.6.1
- nixos-25.11-small 3.6.1
- nixpkgs-25.11-darwin 3.6.1

Package maintainers

@TomaSajt TomaSajt
@L-Trump Luo Chen <ltrump@163.com>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.siyuan

Package maintainers