Permissive CORS enables cross-origin Electron RCE in SiYuan

TL;DR — A malicious website can abuse SiYuan’s permissive CORS policy to inject JavaScript that later executes in the Electron desktop client with full OS access.

What happened

SiYuan is a personal knowledge management system with a desktop client built on Electron.

CVE-2026-34449 describes a critical remote code execution (RCE) issue where a malicious website can exploit SiYuan’s permissive CORS policy (including Access-Control-Allow-Origin: * and Access-Control-Allow-Private-Network: true) to inject a JavaScript snippet via SiYuan’s API. Per the CVE record, the injected snippet executes in Electron’s Node.js context with full OS access the next time the user opens SiYuan’s UI.

Severity is CVSS v3.1 9.7 (Critical). This is a high-risk “local app + browser origin” trust-boundary failure mode: once a desktop app exposes a powerful API with permissive cross-origin access, drive-by web content can become a code-execution path on developer and knowledge-worker endpoints.

Who is impacted

• SiYuan (siyuan-note/siyuan) desktop installations prior to 3.6.2.
• Environments where users may browse untrusted sites while SiYuan is running (the CVE states no user interaction is required beyond visiting a malicious website while SiYuan is running).

What to do now

• Follow vendor remediation guidance and apply the patched release.

  • "This issue has been patched in version 3.6.2."

• Inventory endpoints (developer laptops, exec workstations, VDI images) with SiYuan installed and identify any instances running an affected version.
• Treat this as a potential workstation-to-environment pivot risk: if SiYuan is used to store secrets, tokens, or operational runbooks, reassess exposure and review access/rotation playbooks accordingly.
• Until remediation is confirmed deployed everywhere, reduce exposure by limiting untrusted browsing on systems where SiYuan is running (the attack precondition described in the CVE is visiting a malicious website while SiYuan is running).