XSS in Siyuan-note Siyuan

CVE-2026-32751

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the mobile file tree (MobileFiles.ts) renders notebook names via innerHTML without HTML escaping when processing renamenotebook WebSocket events. The desktop ve…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.001 (25.1th percentile) — read the EPSS interpretation.

Affected products

Siyuan-note Siyuan — versions < 3.6.1

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-qr46-rcv3-4hq3 (x_refsource_CONFIRM)
https://github.com/siyuan-note/siyuan/commit/f6d35103f774b65e52f03e018649ff0e57924fb0 (x_refsource_MISC)
https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1 (x_refsource_MISC)