CVE-2026-33067

CRITICAL

SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata

Title source: cna

Description

SiYuan is a personal knowledge management system. Versions 3.6.0 and below render package metadata fields (displayName, description) using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which executes automatically when any user browses the Bazaar page. Because SiYuan's Electron configuration enables nodeIntegration: true with contextIsolation: false, this XSS escalates directly to full Remote Code Execution on the victim's operating system — with zero user interaction beyond opening the marketplace tab. This issue has been fixed in version 3.6.1.

References (1)

[X_Refsource_Confirm] https://github.com/siyuan-note/siyuan/security/advisories/GHSA-mvpm-v6q4-m2pf

Scores

CVSS v3 9.0

EPSS 0.0009

EPSS Percentile 26.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Details

CWE

CWE-79

Status published

Products (3)

b3log/siyuan < 3.6.1

siyuan-note/siyuan 0 - 0.0.0-20260317012524-fe4523fff2c8Go

siyuan-note/siyuan < 3.6.1

Published Mar 20, 2026

Tracked Since Mar 20, 2026