CVE-2026-54067
Received Received - Intake
SiYuan Prior to 3.7.0 Stored XSS via CSS Snippet

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, CSS snippet body containing </style> breaks out of its surrounding <style> tag when renderSnippet() interpolates it via insertAdjacentHTML. A payload like runs arbitrary JavaScript in the renderer. On Electron desktop builds the renderer runs with nodeIntegration:true, so require('child_process') is reachable from the injected handler and the XSS chains to host RCE. Snippets sync via the workspace repository, so an attacker with write access to any synced workspace plants the payload once and it fires on every device that pulls. The bug also bypasses the user's enabledCSS / enabledJS separation. A user who turned enabledJS off was making a deliberate call not to run untrusted JavaScript; the CSS path runs it anyway. This vulnerability is fixed in 3.7.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-54067
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in SiYuan, an open-source personal knowledge management system, in versions prior to 3.7.0. It occurs because a CSS snippet body containing the string '</style>' breaks out of its surrounding <style> tag when the renderSnippet() function interpolates it using insertAdjacentHTML. This allows an attacker to inject arbitrary JavaScript into the renderer.

On Electron desktop builds, the renderer runs with nodeIntegration set to true, which means the injected JavaScript can access Node.js modules like 'child_process'. This enables an attacker to escalate the cross-site scripting (XSS) vulnerability to remote code execution (RCE) on the host machine.

The vulnerability can be exploited by an attacker who has write access to any synced workspace, as the malicious payload syncs via the workspace repository and executes on every device that pulls the workspace. Additionally, this bug bypasses user settings that disable JavaScript execution (enabledJS off), as the CSS path still runs the injected JavaScript.

This vulnerability was fixed in version 3.7.0 of SiYuan.

Impact Analysis

This vulnerability can have severe impacts including:

  • Arbitrary JavaScript execution within the application renderer.
  • Remote code execution (RCE) on the host machine due to nodeIntegration being enabled, allowing attackers to run system commands.
  • Compromise of all devices that sync the infected workspace, as the malicious payload propagates through the workspace repository.
  • Bypassing of user security settings that disable JavaScript execution, increasing the risk of unintended code execution.

Overall, this can lead to full system compromise, data theft, or further malware installation.

Mitigation Strategies

To mitigate this vulnerability, upgrade SiYuan to version 3.7.0 or later, where the issue is fixed.

Additionally, restrict write access to synced workspaces to trusted users only, as an attacker with write access can plant malicious payloads.

Be aware that disabling JavaScript execution via enabledJS does not prevent this vulnerability, so relying on that setting alone is insufficient.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54067. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart