Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
Attacker (package author) needs no privileges on the target (PR:N), but exploitation requires an Administrator to grant marketplace trust and interact with the listing (UI:R, AC:H); script in the origin yields high C/I and limited A.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
Lifecycle Timeline
2DescriptionCVE.org
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, renderPackageREADME in kernel/bazaar/readme.go renders a Bazaar package README from Markdown to HTML with the lute engine and SetSanitize(true). The lute sanitizer is an event-handler blocklist: allowAttr rejects only attribute names present in a fixed eventAttrs map copied from the w3schools legacy handler list. That map omits modern event handlers. onpointerover, onpointerdown, onauxclick, onbeforetoggle, onfocusin, onanimationstart, and ontransitionend are not in the list, so the sanitizer passes them through verbatim on any tag. The frontend assigns the rendered HTML to mdElement.innerHTML in app/src/config/bazaar.ts with no client-side DOMPurify on this path, into a normal element in the main document (no iframe, no sandbox). The kernel sends no Content-Security-Policy, X-Frame-Options, or X-Content-Type-Options header on any response, so an inline handler runs when its event fires. The README is rendered when an Administrator opens a package in Settings → Marketplace, after the one-time marketplace trust consent. Install is not required. Result: a third-party Bazaar package author runs JavaScript in the Administrator's authenticated SiYuan origin when the Administrator views and interacts with the package listing, and gains full control of the workspace. This vulnerability is fixed in 3.7.0.
AnalysisAI
Stored cross-site scripting in SiYuan personal knowledge management system before 3.7.0 allows a third-party Bazaar package author to execute JavaScript in an Administrator's authenticated workspace origin. The lute sanitizer used by renderPackageREADME relies on a stale event-handler blocklist that omits modern DOM event attributes (onpointerover, onpointerdown, onauxclick, onbeforetoggle, onfocusin, onanimationstart, ontransitionend), and the rendered README HTML is injected via innerHTML with no client-side DOMPurify and no CSP/X-Frame-Options/X-Content-Type-Options headers. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the SiYuan instance to be older than 3.7.0 and the victim to be an Administrator who has already accepted the one-time Marketplace trust consent, then opens an attacker-published Bazaar package in Settings → Marketplace and interacts with the listing (e.g., hovers, clicks, or otherwise triggers a pointer/toggle/focusin/animation/transition event) so the injected inline handler fires. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L, base 7.1) is internally consistent with the description: network-reachable, but high complexity and required user interaction reflect that an Administrator must first grant one-time marketplace trust consent, then open a malicious package and interact with the listing to trigger an event handler. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious author publishes a Bazaar package whose README contains a benign-looking element carrying an inline modern event handler such as onpointerover or onbeforetoggle with a JavaScript payload. An Administrator browsing Settings → Marketplace opens the package listing and moves the pointer over or interacts with the rendered content, firing the handler; the script runs in the authenticated SiYuan origin and can take full control of the workspace. … |
| Remediation | Vendor-released patch: 3.7.0 - upgrade SiYuan to 3.7.0 or later, which fixes the renderPackageREADME sanitization gap, as documented in the advisory at https://github.com/siyuan-note/siyuan/security/advisories/GHSA-w7cg-whh7-xp28. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit all deployed SiYuan installations, identify active version numbers, and compile a list of installed Bazaar packages; restrict or disable Bazaar package installation capabilities until mitigations are implemented. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
A SQL injection vulnerability was discovered in Siyuan 3.1.11 in /getHistoryItems. Rated critical severity (CVSS 9.8), t
A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the ids array parameter in /batchGetBlockAttrs. R
A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the id parameter at /getAssetContent. Rated criti
A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the notebook parameter in /searchHistory. Rated c
SiYuan personal knowledge management system prior to 3.5.4 has a stored XSS vulnerability (CVSS 9.6) that allows code ex
Origin-validation bypass in SiYuan Note (open-source personal knowledge management) before 3.7.0 lets any installed Chro
Reflected XSS in SiYuan knowledge management before 3.5.9.
SiYuan knowledge management system prior to 3.5.5 has a path traversal in /api/file/copyFile allowing arbitrary file ope
SiYuan version 3.0.3 allows executing arbitrary commands on the server. Rated critical severity (CVSS 9.0), this vulnera
SQL injection in SiYuan prior to version 3.6.0 allows any authenticated user, including those with read-only access, to
Cross-site scripting (XSS) in SiYuan personal knowledge management system versions 3.6.0-3.6.1 allows remote attackers t
Arbitrary file disclosure in SiYuan personal knowledge management system before 3.7.0 lets an unauthenticated remote att
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39126
GHSA-w7cg-whh7-xp28