Description
SiYuan is an open-source personal knowledge management system. In versions 3.6.1 through 3.6.3, a prior fix for XSS in bazaar README rendering (incomplete fix for CVE-2026-33066) enabled the Lute HTML sanitizer, but the sanitizer does not block iframe tags, and its URL-prefix blocklist does not effectively filter srcdoc attributes which contain raw HTML rather than URLs. A malicious bazaar package author can include an iframe with a srcdoc attribute containing embedded scripts in their README. When other users view the package in SiYuan's marketplace UI, the payload executes in the Electron context with full application privileges, enabling arbitrary code execution on the user's machine. This issue has been fixed in version 3.6.4.
Published: 2026-04-16
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS leading to arbitrary code execution in Electron context
Action: Immediate Patch
AI Analysis

Impact

A stored cross‑site scripting flaw exists in SiYuan’s marketplace rendering of bazaar READMEs. The sanitizer enabled in versions 3.6.1 to 3.6.3 does not block iframe elements, and its URL blocklist does not filter the srcdoc attribute that can carry raw HTML. A malicious bazaar package author can embed an iframe with a srcdoc containing JavaScript, which is executed inside the Electron application with full privileges when other users view the package in the marketplace UI, allowing arbitrary code execution.

Affected Systems

The affected vendor is Siyuan Note, product SiYuan. Versions 3.6.1 through 3.6.3 are vulnerable; the fix was released in version 3.6.4. Users running those releases should verify that they have not installed any untrusted bazaar packages and should avoid opening suspicious READMEs.

Risk and Exploitability

The CVSS base score for this flaw is 5.3, indicating a moderate severity. The EPSS score is not provided, and the vulnerability is not listed in the CISA KEV catalogue, so no publicly documented exploits are currently known. The attack would occur by first uploading a malicious bazaar package to the marketplace and then having other users view the package’s README. Because the payload executes with full application privileges and requires no advanced setup, the potential impact is high for any user who installs or views untrusted packages. Given the absence of an official workaround, the risk is mainly mitigated by applying the available patch.

Generated by OpenCVE AI on April 17, 2026 at 02:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SiYuan to version 3.6.4 or later to fully patch the vulnerability.
  • Ensure that no untrusted bazaar packages are installed or retained on the system.
  • Avoid opening or interacting with READMEs from untrusted packages in the SiYuan marketplace until a patch is applied.

Generated by OpenCVE AI on April 17, 2026 at 02:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Siyuan
Siyuan siyuan
Vendors & Products Siyuan
Siyuan siyuan

Thu, 16 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Description SiYuan is an open-source personal knowledge management system. In versions 3.6.1 through 3.6.3, a prior fix for XSS in bazaar README rendering (incomplete fix for CVE-2026-33066) enabled the Lute HTML sanitizer, but the sanitizer does not block iframe tags, and its URL-prefix blocklist does not effectively filter srcdoc attributes which contain raw HTML rather than URLs. A malicious bazaar package author can include an iframe with a srcdoc attribute containing embedded scripts in their README. When other users view the package in SiYuan's marketplace UI, the payload executes in the Electron context with full application privileges, enabling arbitrary code execution on the user's machine. This issue has been fixed in version 3.6.4.
Title SiYuan: Incomplete sanitization of bazaar README allows stored XSS via iframe srcdoc (incomplete fix for CVE-2026-33066)
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Siyuan Siyuan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T23:14:00.592Z

Reserved: 2026-04-15T20:40:15.517Z

Link: CVE-2026-40922

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-17T01:17:40.447

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-40922

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T08:00:10Z

Weaknesses