VYPR
Get started
← All advisories
Moderate severityNVD Advisory· Published Mar 20, 2026· Updated Mar 20, 2026

SiYuan has Stored XSS to RCE via Unsanitized Bazaar README Rendering

CVE-2026-33066

Description

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the backend renderREADME function uses lute.New() without calling SetSanitize(true), allowing raw HTML embedded in Markdown to pass through unmodified. The frontend then assigns the rendered HTML to innerHTML without any additional sanitization. A malicious package author can embed arbitrary JavaScript in their README that executes when a user clicks to view the package details. Because SiYuan's Electron configuration enables nodeIntegration: true with contextIsolation: false, this XSS escalates directly to full Remote Code Execution. The issue was patched in version 3.6.1.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/siyuan-note/siyuan/kernelGo
< 0.0.0-20260314111550-b382f50e18800.0.0-20260314111550-b382f50e1880

Affected products

1

Patches

1
b382f50e1880

:lock: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-v3mg-9v85-fcm7

https://github.com/siyuan-note/siyuanDanielMar 14, 2026via ghsa
commit
1 file changed · +1 0
  • kernel/bazaar/readme.go+1 0 modified
    @@ -109,6 +109,7 @@ func getInstalledPackageREADME(installPath, linkBase string, readme LocaleString
 func renderPackageREADME(linkBase string, mdData []byte) (ret string) {
 	mdData = bytes.TrimPrefix(mdData, []byte("\xef\xbb\xbf")) // 移除文件开头的 BOM
 	luteEngine := lute.New()
+	luteEngine.SetSanitize(true)
 	luteEngine.SetSoftBreak2HardBreak(false)
 	luteEngine.SetCodeSyntaxHighlight(false)
 	luteEngine.SetLinkBase(linkBase)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.