CVE-2026-33067

Name of the Vulnerable Software and Affected Versions SiYuan versions 3.5.9 and earlier SiYuan versions 3.6.0 and below

Description SiYuan, a personal knowledge management system, is affected by a critical issue allowing for cross-site scripting (XSS) that can escalate to remote code execution (RCE). The Bazaar (community marketplace) renders package metadata fields, specifically 'displayName' and 'description', using template literals without proper HTML escaping. This allows a malicious package author to inject arbitrary HTML and JavaScript code into these fields. When any user browses the Bazaar page, this injected code automatically executes. Due to SiYuan's Electron configuration enabling nodeIntegration: true with contextIsolation: false, the XSS vulnerability directly escalates to full RCE on the victim's operating system, requiring no user interaction beyond opening the marketplace tab. The vulnerable code is located in app/src/config/bazaar.ts:275-277 and app/electron/main.js:422-426. A proof of concept demonstrates the ability to execute arbitrary commands, such as launching 'calc.exe' or establishing a reverse shell, simply by browsing the Bazaar page. This vulnerability poses a significant supply-chain risk to the entire SiYuan user community. Attackers can potentially steal API tokens, session cookies, SSH keys, browser credentials, and arbitrary files, or install persistent backdoors and ransomware. The issue affects all supported platforms: Windows, macOS, and Linux.

Recommendations Versions prior to 3.6.1 are vulnerable. Apply HTML escaping to all package metadata in template rendering in bazaar.ts. Implement server-side sanitization of metadata fields during the Bazaar index pipeline. Harden the Electron configuration by setting nodeIntegration: false, contextIsolation: true, and sandbox: true.