CVE-2026-33066

Name of the Vulnerable Software and Affected Versions SiYuan versions 3.6.0 and earlier SiYuan versions 3.5.9 and earlier

Description SiYuan is a personal knowledge management system. The backend 'renderREADME' function uses 'lute.New()' without calling 'SetSanitize(true)', allowing raw HTML embedded in Markdown to pass through unmodified. The frontend then assigns the rendered HTML to 'innerHTML' without additional sanitization. A malicious package author can embed arbitrary JavaScript in their README, which executes when a user clicks to view the package details. Because SiYuan's Electron configuration enables 'nodeIntegration: true' with 'contextIsolation: false', this cross-site scripting (XSS) escalates directly to full Remote Code Execution (RCE). The backend function affected is renderREADME located in kernel/bazaar/package.go:635-645. The frontend assignment occurs in app/src/config/bazaar.ts:607. The Electron configuration is found in app/electron/main.js:422-426. The issue was exploited through the Bazaar (community marketplace) by submitting a malicious package with a crafted README file. Attackers can leverage various HTML elements like img, svg, details, and picture to hide payloads. Exploitation can lead to full remote code execution, data theft, and the installation of persistent backdoors.

Recommendations For versions 3.6.0 and earlier, enable Lute sanitization for README rendering by adding luteEngine.SetSanitize(true) to the renderREADME function in kernel/bazaar/package.go. For versions 3.6.0 and earlier, add client-side sanitization as a defense-in-depth measure by using DOMPurify to sanitize the HTML before assigning it to innerHTML in app/src/config/bazaar.ts. For versions 3.5.9 and earlier, enable Lute sanitization for README rendering by adding luteEngine.SetSanitize(true) to the renderREADME function in kernel/bazaar/package.go. For versions 3.5.9 and earlier, add client-side sanitization as a defense-in-depth measure by using DOMPurify to sanitize the HTML before assigning it to innerHTML in app/src/config/bazaar.ts.