CVE-2026-54070
Deferred Deferred - Pending Action

Stored XSS in SiYuan Knowledge Management System

Vulnerability report for CVE-2026-54070, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, renderPackageREADME in kernel/bazaar/readme.go renders a Bazaar package README from Markdown to HTML with the lute engine and SetSanitize(true). The lute sanitizer is an event-handler blocklist: allowAttr rejects only attribute names present in a fixed eventAttrs map copied from the w3schools legacy handler list. That map omits modern event handlers. onpointerover, onpointerdown, onauxclick, onbeforetoggle, onfocusin, onanimationstart, and ontransitionend are not in the list, so the sanitizer passes them through verbatim on any tag. The frontend assigns the rendered HTML to mdElement.innerHTML in app/src/config/bazaar.ts with no client-side DOMPurify on this path, into a normal element in the main document (no iframe, no sandbox). The kernel sends no Content-Security-Policy, X-Frame-Options, or X-Content-Type-Options header on any response, so an inline handler runs when its event fires. The README is rendered when an Administrator opens a package in Settings β†’ Marketplace, after the one-time marketplace trust consent. Install is not required. Result: a third-party Bazaar package author runs JavaScript in the Administrator's authenticated SiYuan origin when the Administrator views and interacts with the package listing, and gains full control of the workspace. This vulnerability is fixed in 3.7.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-26
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
siyuan siyuan to 3.7.0 (exc)
siyuan siyuan 3.7.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in SiYuan, an open-source personal knowledge management system, prior to version 3.7.0. The issue is in how the system renders Bazaar package README files from Markdown to HTML using the lute engine with a sanitizer that only blocks a fixed list of legacy event handler attributes. Modern event handlers like onpointerover, onpointerdown, and others are not blocked and are passed through verbatim.

Because the frontend assigns this rendered HTML directly to an element's innerHTML without additional client-side sanitization or security headers, a malicious third-party Bazaar package author can inject JavaScript event handlers. When an Administrator views and interacts with the package listing, this JavaScript runs with the Administrator's authenticated privileges, allowing full control over the workspace.

This vulnerability is fixed in version 3.7.0.

Impact Analysis

The vulnerability allows a third-party Bazaar package author to execute arbitrary JavaScript code within the context of an authenticated Administrator's session in SiYuan.

This can lead to full compromise of the Administrator's workspace, including unauthorized access, modification, or deletion of data managed by SiYuan.

Because the attack requires the Administrator to view and interact with the malicious package listing, it involves user interaction but can result in high impact due to the elevated privileges.

Mitigation Strategies

To mitigate this vulnerability, upgrade SiYuan to version 3.7.0 or later, where the issue is fixed.

Avoid opening Bazaar package READMEs in the Settings β†’ Marketplace section until the upgrade is applied, especially as an Administrator.

Compliance Impact

This vulnerability allows a malicious package author to execute JavaScript in the administrator's authenticated session, potentially leading to full control of the workspace and theft of sensitive information such as the kernel API token.

Such unauthorized access and control can result in breaches of confidentiality and integrity of data, which may violate compliance requirements under common standards and regulations like GDPR and HIPAA that mandate protection of sensitive data and prevention of unauthorized access.

The lack of security measures such as proper sanitization and Content-Security-Policy headers increases the risk of data exposure and unauthorized actions, thereby negatively impacting compliance with these regulations.

Detection Guidance

This vulnerability involves malicious JavaScript injected via event handlers in the README files of Bazaar packages rendered in the SiYuan application. Detection involves inspecting the rendered README HTML for the presence of modern event handler attributes that bypass the sanitizer, such as onpointerover, onpointerdown, onauxclick, onbeforetoggle, onfocusin, onanimationstart, and ontransitionend.

To detect potential exploitation or presence of this vulnerability on your system, you can search for these event handler attributes in the README files or in the HTML content served by the SiYuan application.

  • Use command-line tools like grep to scan README files or rendered HTML for suspicious event handlers, for example:
  • grep -E 'onpointerover|onpointerdown|onauxclick|onbeforetoggle|onfocusin|onanimationstart|ontransitionend' path/to/bazaar/readme/files/*.md
  • If you have access to the running application or its HTTP responses, you can capture and inspect the HTML content for these event handlers using tools like curl and grep:
  • curl -s http://your-siyuan-instance/path/to/package/readme | grep -E 'onpointerover|onpointerdown|onauxclick|onbeforetoggle|onfocusin|onanimationstart|ontransitionend'

Additionally, monitoring for unexpected JavaScript execution or unusual administrator interactions with the Bazaar marketplace README pages may help detect exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54070. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart