Impact
The vulnerability is a stored cross‑site scripting flaw in the CSS snippet rendering function, renderSnippet(). A CSS snippet containing a closing </style> tag terminates the surrounding <style> element when the snippet is inserted via insertAdjacentHTML. The injected closing tag allows arbitrary JavaScript to execute in the renderer, which for Electron desktop applications runs with nodeIntegration enabled. Through this path the attacker can call require('child_process') and spawn shell commands, achieving remote code execution. The flaw is a classic example of CWE‑79 (Cross‑Site Scripting) and, due to improper handling of CSS tags, also relates to CWE‑1188 (CSS Injection: Style Block Breakout). It additionally bypasses the user‑controlled separation of enabledCSS and enabledJS; disabling JavaScript does not prevent the malicious CSS‑based payload from running.
Affected Systems
SiYuan is an open‑source personal knowledge‑management system. All releases prior to 3.7.0, in every platform build that renders CSS snippets with renderSnippet(), are affected. Users who run the Electron desktop edition with default nodeIntegration:true are especially vulnerable. Any workspace that synchronizes a snippet containing the </style> payload and the workspace is shared with users who have write access can propagate the exploit to all devices that pull the workspace.
Risk and Exploitability
The CVSS base score of 9.9 categorizes this flaw as critical. The EPSS score is not available, so the exact exploitation probability cannot be quantified, but the widespread use of SiYuan and the default nodeIntegration setting indicate a high exploitability for attackers who control a synced workspace. Although this vulnerability is not yet in the CISA KEV catalog, its attack vector – the injection of a malicious CSS snippet via a shared workspace – allows automatic execution on any client that pulls the file, elevating the overall risk.
OpenCVE Enrichment
Github GHSA