CVE-2026-50551Critical· 9.9▾ MidnightSiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content
▾ Midnight zone — Critical, or high with PoC / in-the-wild
impact 54.5 · likelihood 0.1 · exploitation 0
Need a working PoC? Pro members can cast a request and our team develops one — it lands right here.
SiYuan v3.6.5 and earlier versions contain a stored cross-site scripting (XSS) vulnerability in the Attribute View (database) asset cell renderer that escalates to remote code execution (RCE) in the Electron desktop client. This is a neighbor-bug of CVE-2026-44588: the fix for -44588 used escapeAriaLabel() (double-escapes <), but the AV asset renderers were left using the weaker escapeAttr() (escapes only quotes) or no escaping at all.
The Electron renderer is configured with nodeIntegration: true and contextIsolation: false (app/electron/main.js:307), allowing any JavaScript executing in the renderer to directly access Node.js APIs including require('child_process').
Two XSS sinks exist.
app/src/protyle/render/av/cell.ts:1008:
text += `<span class="b3-chip av__celltext--url ariaLabel" aria-label="${escapeAttr(item.content)}" data-name="${escapeAttr(item.name)}"
data-url="${escapeAttr(item.content)}">${item.name || item.content}</span>`;
The >${item.name || item.content}</span> portion is raw user input with zero escaping.
app/src/protyle/render/av/blockAttr.ts:93 (even worse - completely unescaped):
html += `<img loading="lazy" class="av__cellassetimg ariaLabel" aria-label="${item.content}" src="${getCompressURL(item.content)}">`;
Rendered via action.ts:860: cellElement.innerHTML = renderCell(...) results in immediate XSS on page load.
aria-label="${escapeAttr(item.content)}" on .ariaLabel elements.escapeAttr() (util/escape.ts:14) escapes only " and ' — NOT < or >.popover.ts:33 global mouseover handler reads aria-label via getAttribute (which attribute-decodes entities).showTooltip(decodeURIComponent(tip), ...) then tooltip.ts:41: messageElement.innerHTML = message results in XSS on hover.app/src/protyle/render/av/asset.ts:405: addAssetLink() reads user input from a free-form <textarea> with no sanitization.MAsset.Content raw (kernel/av/value.go:53), no server-side sanitization.<img src=x onerror=require('child_process').exec('calc')>Payload (Direct XSS) — in an AV asset cell link field, enter:
<img src=x onerror=alert(document.domain)>
For RCE in Electron desktop:
<img src=x onerror=require('child_process').exec('calc')>
/ then select "Table".<img src=x onerror=alert(1)>.sy files, executes on every open.escapeAttr() with escapeAriaLabel() for all aria-label attributes in AV cell renderers.item.name and item.content with escapeHtml() before concatenating into element text content.Affected files: app/src/protyle/render/av/cell.ts, app/src/protyle/render/av/blockAttr.ts, app/src/protyle/render/av/asset.ts.
This vulnerability is a neighbor-bug of CVE-2026-44588. The fix for -44588 correctly used escapeAriaLabel() (which double-escapes < to survive the attribute -> getAttribute -> innerHTML round-trip), but the AV asset cell renderers were left using the weaker escapeAttr() or no escaping. This is part of a pattern of incomplete fixes in SiYuan (see also CVE-2026-33066, CVE-2026-29183). The long-term fix should set ElectroncontextIsolation: true and nodeIntegration: false.
Reporter (GitHub: Yunkaiwjs).
github.com/siyuan-note/siyuan/kernel < 0.0.0-20260628153353-2d5d72223df4Upgrade to a patched release:
github.com/siyuan-note/siyuan/kernel 0.0.0-20260628153353-2d5d72223df4Connected by shared product, vendor, weakness, or advisory.
CVE-2026-54067Critical· 9.9SiYuan: Stored XSS to RCE via CSS-snippet <style> breakout in renderSnippet()
CVE-2026-54070High· 7.1SiYuan: Stored XSS in Bazaar marketplace via package README event handlers
CVE-2026-54158Critical· 9.9SiYuan: Stored XSS to RCE via attribute-view cell rendering in genAVValueHTML()
CVE-2026-54066High· 7.5SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary file─read), Incomplete fix of CVE-2026-41894
CVE-2026-54068Medium· 5.9SiYuan: Unauthenticated SQLite Data Exfiltration via Template Injection in /api/icon/getDynamicIcon
CVE-2026-54069CriticalSiYuan: Unauthenticated Admin API Access via Blanket chrome-extension:// Origin Allowlist