Threat Advisory

SiYuan Vulnerabilities Target Electron Platforms

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in SiYuan Note. The issues include multiple stored cross-site scripting (XSS) vulnerabilities in Attribute View rendering, CSS snippet handling, and Bazaar package README rendering, which can escalate to remote code execution (RCE) in the Electron desktop client due to insecure Electron settings. Additional flaws allow unauthorized browser extensions to access administrative APIs, unauthenticated SQL-based data disclosure through dynamic icon rendering, and arbitrary file disclosure through a double URL decoding path traversal issue in the publish assets endpoint. Successful exploitation could enable attackers to execute arbitrary JavaScript, steal sensitive workspace data, access credentials, modify configurations, and fully compromise affected SiYuan installations.[/subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in SiYuan Note. The issues include multiple stored cross-site scripting (XSS) vulnerabilities in Attribute View rendering, CSS snippet handling, and Bazaar package README rendering, which can escalate to remote code execution (RCE) in the Electron desktop client due to insecure Electron settings. Additional flaws allow unauthorized browser extensions to access administrative APIs, unauthenticated SQL-based data disclosure through dynamic icon rendering, and arbitrary file disclosure through a double URL decoding path traversal issue in the publish assets endpoint. Successful exploitation could enable attackers to execute arbitrary JavaScript, steal sensitive workspace data, access credentials, modify configurations, and fully compromise affected SiYuan installations.[emaillocker id="1283"]

CVE-2026-54066 (CVSS 7.5 — High): Path Traversal via Double URL Encoding in /assets/*path allows an attacker with publish mode arbitrary file-read capability.

CVE-2026-54067 (CVSS 9.9 — Critical): Stored XSS to RCE via CSS-snippet <style> breakout in renderSnippet allows an attacker to execute code remotely.

CVE-2026-54068 (CVSS 5.9 — Medium): Unauthenticated SQLite Data Exfiltration via Template Injection in allows an attacker to read sensitive data.

CVE-2026-54069 (CVSS 9.2 — Critical): Unauthenticated Admin API Access via Blanket chrome-extension:// Origin Allowlist allows an attacker to access administrative features.

CVE-2026-54070 (CVSS 7.1 — High): Stored XSS in Bazaar marketplace via package README event handlers allows an attacker to execute code remotely.

CVE-2026-54158 (CVSS 9.9 — Critical): Stored XSS to RCE via attribute-view cell rendering in genAVValueHTML allows an attacker to execute code remotely.

CVE-2026-50551 (CVSS 9.9 — Critical): A stored XSS vulnerability caused by unsanitized Attribute View asset cell content in SiYuan allows attackers to execute arbitrary code remotely through the Electron desktop client.

RECOMMENDATION:

 

REFERENCES:

The following reports contain further technical details:

https://github.com/advisories/GHSA-p4m3-mgmm-c664
https://github.com/advisories/GHSA-mvjr-vv3c-w4qv
https://github.com/advisories/GHSA-gcm7-57gf-953c
https://github.com/advisories/GHSA-hvr9-72v2-fff3
https://github.com/advisories/GHSA-w7cg-whh7-xp28
https://github.com/advisories/GHSA-5xfx-xj4h-5p7r
https://github.com/advisories/GHSA-56mp-4f3v-fgj2

[/emaillocker]
crossmenu