Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33067 is a critical vulnerability in SiYuan, a personal knowledge management system. Versions 3.6.0 and below improperly render package metadata fields such as displayName and description using template literals without HTML escaping. This allows a malicious package author to inject arbitrary HTML or JavaScript code into these fields.'}, {'type': 'paragraph', 'content': "When a user browses the Bazaar marketplace page, the injected malicious code executes automatically. Because SiYuan's Electron configuration enables nodeIntegration: true and disables contextIsolation, this stored Cross-Site Scripting (XSS) vulnerability escalates directly to full Remote Code Execution (RCE) on the victim's operating system without any user interaction beyond opening the Bazaar tab."}, {'type': 'paragraph', 'content': 'In summary, an attacker can submit a malicious plugin with crafted metadata that executes OS-level commands on any user who views the Bazaar marketplace, leading to a severe security breach.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have severe impacts including full remote code execution on any SiYuan desktop user who opens the Bazaar tab.'}, {'type': 'list_item', 'content': 'Attackers can execute arbitrary OS commands without any user interaction.'}, {'type': 'list_item', 'content': 'Potential theft of sensitive data such as API tokens, session cookies, and SSH keys.'}, {'type': 'list_item', 'content': "Installation of persistent backdoors or ransomware on the victim's system."}, {'type': 'list_item', 'content': 'Cross-platform impact affecting Windows, macOS, and Linux users.'}, {'type': 'list_item', 'content': 'Supply-chain attack risk affecting the entire SiYuan user base.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying if your SiYuan installation is running a vulnerable version (3.6.0 or below) and if malicious package metadata is present in the Bazaar marketplace.'}, {'type': 'paragraph', 'content': 'You can check the installed SiYuan version by running a command or checking the application about page.'}, {'type': 'list_item', 'content': 'Check SiYuan version: Look for version information in the application UI or run a command if available, e.g., `siyuan --version` (if supported).'}, {'type': 'list_item', 'content': 'Inspect the Bazaar plugin metadata files for suspicious HTML or JavaScript payloads in the `displayName` or `description` fields.'}, {'type': 'list_item', 'content': "Search for suspicious strings in plugin metadata files, for example using grep on the plugin directory: `grep -r --include='plugin.json' -E '<img|onerror|script' /path/to/siyuan/plugins`"}, {'type': 'list_item', 'content': 'Monitor network traffic for unexpected outbound connections initiated by SiYuan, which could indicate exploitation attempts.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include updating SiYuan to version 3.6.1 or later, which contains the fix for this vulnerability.

• Upgrade SiYuan to version 3.6.1 or above to ensure that package metadata fields are properly escaped and the vulnerability is patched.
• Avoid opening the Bazaar tab or browsing plugins until the update is applied to prevent automatic execution of malicious payloads.
• If you maintain a SiYuan Bazaar index, sanitize all package metadata fields server-side to escape HTML characters and prevent malicious content from reaching clients.
• Harden Electron configuration by disabling `nodeIntegration` and enabling `contextIsolation` and sandboxing to reduce the attack surface.

Useful 0 Not Useful 0