Impact
SiYuan is an open‑source personal knowledge management system. Prior to version 3.7.0, the attribute‑view cell renderer genAVValueHTML interpolates cell content raw in four branches: text, url, phone, and cell value that includes a closing textarea tag followed by an image tag with an onerror attribute, such as </textarea><img src=x onerror=\"...\">. This stored cross‑site scripting flaw (CWE‑79) and its lack of proper escaping of raw input (CWE‑1188) allow the reader to break out of the surrounding tag and execute arbitrary JavaScript when the block‑attribute panel is opened. Because the Electron desktop build runs with nodeIntegration enabled, this XSS can chain to host remote code execution via require('child_process'). The payload is stored in AV files under the workspace, so an attacker with write access to any synced workspace can plant the payload once and have it trigger on every device that opens the panel. The kernel does not escape the payload, so it persists byte‑for‑byte. There is no protective call analogous to html.EscapeAttrVal to safeguard block IAL attributes at kernel/model/blockial.go:261. The vulnerability was fixed in version 3.7.0.
Affected Systems
The vulnerability affects all Siyuan deployments running a version earlier. those environments, any cell in the attribute view that contains a malicious payload—such as a closing textarea tag or an image tag with an onerror handler—will be rendered verbatim. Users or collaborators with write access to a synced workspace can embed such payloads; the malicious cell persists unchanged across devices and triggers on every device that opens a panel containing that row.
Risk and Exploitability
The CVSS score of 9.9 indicates a critical risk. The EPSS score is not available, but the absence of this metric does not diminish the inherent severity of the flaw. The vulnerability is not listed in CISA KEV, yet its exploit path remains straightforward: an attacker must be able to write to a synced workspace and subsequently entice a user to view the block‑attribute panel. Once the XSS succeeds, the local Electron environment provides direct access to the operating system, allowing arbitrary code execution.
OpenCVE Enrichment
Github GHSA