Jul 11, 2026·5 min read·6 visits
Missing output escaping in SiYuan's database view renderer combined with insecure Electron configurations enables attackers to escalate Stored XSS into Remote Code Execution via shared workspaces.
A critical-severity Stored Cross-Site Scripting (XSS) vulnerability exists in the SiYuan personal knowledge management system. Due to missing sanitization in the attribute-view cell renderer and an insecure Electron default configuration (nodeIntegration: true), attackers can execute arbitrary commands on the victim's host operating system through synchronized workspaces.
CVE-2026-54158 is a critical-severity vulnerability in the SiYuan open-source personal knowledge management system. The flaw exists in the frontend attribute-view cell renderer, specifically within the genAVValueHTML function. This component processes database cells for display in the block-attribute panel.
When an attacker inputs malicious HTML payload structures into specific cell types, the application fails to sanitize the output, leading to Stored Cross-Site Scripting. Because the desktop client runs inside an Electron wrapper with insecure defaults, this XSS propagates to Remote Code Execution on the host operating system.
The vulnerability exhibits high risk due to workspace synchronization. Synced workspaces distribute database cell values across all connected devices automatically, triggering the payload on any peer client opening the affected block-attribute panel.
The root cause is a combination of two distinct security issues: improper output neutralization in the database view renderer and insecure default privileges in the Electron configuration. In standard operations, the Go-based backend kernel sanitizes Inline Attribute List inputs using the html.EscapeAttrVal function.
This sanitization is absent in the attribute-view database engine. Malicious input values are stored byte-for-byte in the local database storage files under the workspace without verification or modifications on ingestion.
During rendering, the frontend function genAVValueHTML processes specific attribute types: text, url, phone, and mAsset. For these four types, the application inserts the raw string directly into the template container instead of encoding it. This allows structured HTML elements to escape their tag contexts.
In versions prior to 3.7.0, the vulnerable implementation of the genAVValueHTML renderer directly interpolates user input into raw HTML string templates. This lack of escaping allows the user input to close the active textarea block or attribute quotes and inject new DOM nodes.
Consider the following simplified representation of the vulnerable code in the frontend view engine:
// Vulnerable rendering function in versions < 3.7.0
function genAVValueHTML(type, value) {
switch (type) {
case 'text':
case 'url':
case 'phone':
case 'mAsset':
// Vulnerable: Direct interpolation allows HTML injection
return `<textarea class="av-cell-text">${value}</textarea>`;
default:
return escapeHTML(value);
}
}The patch implemented in commit 27e0051e0d067892e833df1063cb2fb469600e98 alters the handling of these four branches. Instead of direct template interpolation, the values undergo strict character escaping to sanitize special characters. This prevents the browser from interpreting the input as active code.
// Patched rendering function in version 3.7.0
function genAVValueHTML(type, value) {
switch (type) {
case 'text':
case 'url':
case 'phone':
case 'mAsset':
// Patched: Input is escaped before rendering
const escapedValue = escapeHTML(value);
return `<textarea class="av-cell-text">${escapedValue}</textarea>`;
default:
return escapeHTML(value);
}
}Exploitation requires write access to a shared or synced database workspace. The attacker inserts a specially crafted payload into a cell of type text, url, phone, or mAsset. Because the backend does not sanitize database cells during write operations, the payload persists exactly as written.
When a user synchronized with the workspace views the containing page and opens the block-attribute panel, the client executes the payload automatically. On the Electron desktop application, the renderer window operates with nodeIntegration set to true, which exposes the native Node.js process and require structures directly to the client-side JavaScript.
The following diagram illustrates the execution flow from the database sync to the operating system command shell:
The security impact is classified as Critical with a CVSS v3.1 base score of 9.9. The scope of the vulnerability is changed because the exploit successfully escapes the web browser sandbox and achieves command execution on the host system.
An attacker gains unauthenticated remote command execution under the security context of the user running the SiYuan desktop application. This allows complete access to the local filesystem, execution of arbitrary shell scripts, network reconnaissance, and potential lateral movement within the network environment.
While the EPSS score remains low, this is due to the nature of desktop software requiring workspace collaboration or shared synchronization folders. Targeted attacks against developers, security researchers, and knowledge workers who utilize shared markdown vaults carry a high probability of success if they do not upgrade.
The primary remediation strategy is upgrading the SiYuan application to version 3.7.0 or later. This release addresses the rendering vulnerability and neutralizes the XSS vector inside the attribute-view renderer.
In environments where an immediate upgrade is unfeasible, administrators should restrict workspace sharing and block synchronization from untrusted repositories. Analyzing local database and attribute-view files for script patterns can assist in detecting potential compromise.
For developers building similar Electron applications, disabling Node integration in the renderer process is critical for defense-in-depth. Setting nodeIntegration to false and enabling contextIsolation to true in the browser window configuration ensures that XSS bugs do not escalate to host compromises.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H| Product | Affected Versions | Fixed Version |
|---|---|---|
SiYuan siyuan-note | < 3.7.0 | 3.7.0 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-79, CWE-1188 |
| Attack Vector | Network (AV:N) |
| CVSS Score | 9.9 (Critical) |
| Exploit Status | Proof-of-Concept |
| Access Required | Low Privileges (PR:L) |
| User Interaction | None (UI:N) |
| Impact | Remote Code Execution (RCE) |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A high-severity security bypass vulnerability exists in safeinstall-cli up to version 0.10.1. Due to multiple logical limitations in its shell command parsing mechanism (guard-parser), attackers can craft specific shell commands that completely evade the Agent Guard interceptor hooks. This allows arbitrary unverified installations and code executions on the developer system when executed by AI coding agents.
An arbitrary server-side file read vulnerability exists in the mcp-atlassian integration server. Remote clients utilizing SSE or HTTP transports can exploit the lack of directory containment on attachment-upload tools to resolve and read arbitrary host files, exfiltrating them directly to Atlassian Jira or Confluence.
A directory traversal vulnerability exists in the mcp-atlassian integration server prior to version 0.22.0. The confluence_upload_attachment tool fails to restrict the paths of uploaded files, allowing authenticated users or external prompt injection payloads to retrieve and exfiltrate arbitrary files from the server's filesystem into Confluence.
A critical-severity stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan's Attribute View database asset cell renderer. This flaw allows low-privilege authenticated users to execute arbitrary JavaScript in the application frontend. In Electron-based desktop clients, this execution context can be leveraged to execute arbitrary native operating system commands, resulting in complete system compromise.
Clauster versions up to and including v0.2.1 suffer from an authentication bypass vulnerability. This issue occurs when Clauster is configured with an authentication method but the master auth.enabled key is omitted or set to false, allowing unauthenticated network access to administrative endpoints and arbitrary code execution through managed Claude Code bridges.
An authentication bypass and token leakage vulnerability exists in TSDProxy before version 1.4.4. The application unconditionally forwards its internal administrative token to all proxied backend services when identity headers are enabled. Attackers with control over an upstream backend can capture this token and replay it to the local management API to achieve full administrative control over the proxy engine.