CVE-2026-54067
Deferred Deferred - Pending Action

SiYuan Prior to 3.7.0 Stored XSS via CSS Snippet

Vulnerability report for CVE-2026-54067, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, CSS snippet body containing </style> breaks out of its surrounding <style> tag when renderSnippet() interpolates it via insertAdjacentHTML. A payload like runs arbitrary JavaScript in the renderer. On Electron desktop builds the renderer runs with nodeIntegration:true, so require('child_process') is reachable from the injected handler and the XSS chains to host RCE. Snippets sync via the workspace repository, so an attacker with write access to any synced workspace plants the payload once and it fires on every device that pulls. The bug also bypasses the user's enabledCSS / enabledJS separation. A user who turned enabledJS off was making a deliberate call not to run untrusted JavaScript; the CSS path runs it anyway. This vulnerability is fixed in 3.7.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-25
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
siyuan si_yuan 3.7.0
siyuan si_yuan to 3.7.0 (exc)
siyuan si_yuan to 3.6.5 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in SiYuan, an open-source personal knowledge management system, in versions prior to 3.7.0. It occurs because a CSS snippet body containing the string '</style>' breaks out of its surrounding <style> tag when the renderSnippet() function interpolates it using insertAdjacentHTML. This allows an attacker to inject arbitrary JavaScript into the renderer.

On Electron desktop builds, the renderer runs with nodeIntegration set to true, which means the injected JavaScript can access Node.js modules like 'child_process'. This enables an attacker to escalate the cross-site scripting (XSS) vulnerability to remote code execution (RCE) on the host machine.

The vulnerability can be exploited by an attacker who has write access to any synced workspace, as the malicious payload syncs via the workspace repository and executes on every device that pulls the workspace. Additionally, this bug bypasses user settings that disable JavaScript execution (enabledJS off), as the CSS path still runs the injected JavaScript.

This vulnerability was fixed in version 3.7.0 of SiYuan.

Impact Analysis

This vulnerability can have severe impacts including:

  • Arbitrary JavaScript execution within the application renderer.
  • Remote code execution (RCE) on the host machine due to nodeIntegration being enabled, allowing attackers to run system commands.
  • Compromise of all devices that sync the infected workspace, as the malicious payload propagates through the workspace repository.
  • Bypassing of user security settings that disable JavaScript execution, increasing the risk of unintended code execution.

Overall, this can lead to full system compromise, data theft, or further malware installation.

Mitigation Strategies

To mitigate this vulnerability, upgrade SiYuan to version 3.7.0 or later, where the issue is fixed.

Additionally, restrict write access to synced workspaces to trusted users only, as an attacker with write access can plant malicious payloads.

Be aware that disabling JavaScript execution via enabledJS does not prevent this vulnerability, so relying on that setting alone is insufficient.

Compliance Impact

This vulnerability allows an attacker to execute arbitrary code remotely on affected devices by exploiting stored XSS that escalates to remote code execution. Such a severe security flaw can lead to unauthorized access, data breaches, and compromise of confidentiality, integrity, and availability of sensitive information.

Because of these impacts, organizations using affected versions of SiYuan may face challenges in maintaining compliance with common standards and regulations such as GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Specifically, the ability for an attacker to execute code and potentially access or manipulate data across synced devices increases the risk of data leakage or alteration, which could violate data protection requirements and incident response obligations under these regulations.

Detection Guidance

This vulnerability involves malicious CSS snippets containing payloads like </style><img src=x onerror="..."> saved in the data/snippets/conf.json file. Detection involves inspecting this file for suspicious or unexpected HTML or JavaScript code injected within CSS snippets.

You can detect the presence of such malicious snippets by searching for suspicious patterns in the conf.json file, for example by using command-line tools to look for the string '</style>' or 'onerror' attributes within the snippets.

  • Use grep to search for suspicious payloads in the snippets configuration file: grep -E '</style>|onerror' data/snippets/conf.json
  • Check for unexpected modifications or additions in the workspace repository that syncs snippets across devices.

Since the vulnerability can be exploited via synced workspaces, monitoring for unauthorized changes or write access to the workspace repository is also important.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54067. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart