CVE-2026-40922
Received Received - Intake
Incomplete XSS Sanitization in SiYuan Bazaar Enables RCE

Publication date: 2026-04-17

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
SiYuan is an open-source personal knowledge management system. In versions 3.6.1 through 3.6.3, a prior fix for XSS in bazaar README rendering (incomplete fix for CVE-2026-33066) enabled the Lute HTML sanitizer, but the sanitizer does not block iframe tags, and its URL-prefix blocklist does not effectively filter srcdoc attributes which contain raw HTML rather than URLs. A malicious bazaar package author can include an iframe with a srcdoc attribute containing embedded scripts in their README. When other users view the package in SiYuan's marketplace UI, the payload executes in the Electron context with full application privileges, enabling arbitrary code execution on the user's machine. This issue has been fixed in version 3.6.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-17
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40922
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
b3log siyuan From 3.6.1 (inc) to 3.6.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in SiYuan, an open-source personal knowledge management system, specifically in versions 3.6.1 through 3.6.3. It is related to an incomplete fix for a previous cross-site scripting (XSS) issue in the bazaar README rendering. The system uses the Lute HTML sanitizer, which does not block iframe tags and fails to properly filter srcdoc attributes that contain raw HTML instead of URLs.

A malicious bazaar package author can exploit this by including an iframe with a srcdoc attribute containing embedded scripts in their README file. When other users view this package in SiYuan's marketplace UI, the malicious script executes within the Electron application context with full application privileges, allowing arbitrary code execution on the user's machine.

This vulnerability was fixed in version 3.6.4.

Impact Analysis

The vulnerability allows an attacker to execute arbitrary code on a user's machine with full application privileges when the user views a malicious package README in SiYuan's marketplace UI.

  • Potential unauthorized access to the user's system.
  • Execution of malicious scripts leading to data theft, system compromise, or further malware installation.
  • Loss of data integrity and confidentiality.
  • Compromise of the user's personal knowledge management data.
Mitigation Strategies

The vulnerability has been fixed in SiYuan version 3.6.4. The immediate step to mitigate this vulnerability is to upgrade SiYuan to version 3.6.4 or later.

This update addresses the incomplete fix for the XSS vulnerability by properly handling iframe tags and srcdoc attributes in the HTML sanitizer, preventing arbitrary code execution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40922. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart