CVE-2026-33067 in SiYuan
Summary
by MITRE • 03/20/2026
SiYuan is a personal knowledge management system. Versions 3.6.0 and below render package metadata fields (displayName, description) using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which executes automatically when any user browses the Bazaar page. Because SiYuan's Electron configuration enables nodeIntegration: true with contextIsolation: false, this XSS escalates directly to full Remote Code Execution on the victim's operating system — with zero user interaction beyond opening the marketplace tab. This issue has been fixed in version 3.6.1.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/26/2026
The vulnerability CVE-2026-33067 affects SiYuan, a personal knowledge management system that operates as a desktop application built on Electron framework. This security flaw resides in the Bazaar marketplace functionality where the application renders package metadata fields including displayName and description using template literals without proper HTML escaping mechanisms. The root cause stems from inadequate input sanitization practices that fail to properly escape user-supplied content before rendering it within the application's user interface. This vulnerability represents a classic cross-site scripting flaw that has been categorized under CWE-79 as "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')". The specific implementation issue occurs when the Electron-based application processes metadata from third-party packages, creating an attack surface where malicious actors can inject malicious code directly into the package description fields.
The exploitation of this vulnerability is particularly dangerous due to the Electron application's security configuration settings that enable nodeIntegration: true alongside contextIsolation: false. This combination creates a critical security boundary failure that allows JavaScript execution within the application's context to directly access Node.js APIs. When a user navigates to the Bazaar page, the malicious HTML/JavaScript code embedded in the package metadata executes automatically without requiring any user interaction beyond simply opening the marketplace tab. This automatic execution capability transforms what would typically be a client-side scripting vulnerability into a full remote code execution threat. The vulnerability aligns with ATT&CK technique T1059.007 for "Command and Scripting Interpreter: JavaScript' and T1203 for 'Exploitation for Client Execution' as it leverages the application's legitimate JavaScript execution environment to gain unauthorized system access. The attack vector is particularly insidious because it operates entirely within the application's trusted environment, bypassing typical browser security restrictions.
The operational impact of this vulnerability extends far beyond simple data theft or display manipulation. Attackers can leverage this flaw to execute arbitrary code with the privileges of the victim's operating system, potentially leading to complete system compromise. The malicious code can access local files, establish persistent backdoors, modify system configurations, or exfiltrate sensitive information stored within the SiYuan knowledge base. Since the vulnerability affects the Bazaar marketplace functionality, any user who browses the package listings automatically becomes a potential target, making the attack surface particularly broad. The lack of user interaction requirements means that simply opening the application's marketplace tab is sufficient for exploitation, making this vulnerability particularly dangerous in environments where users frequently browse third-party packages. This issue demonstrates the critical importance of proper input validation and output escaping in web applications, especially those with elevated privileges due to their Electron framework configuration. The vulnerability has been addressed in version 3.6.1 through proper HTML escaping implementation and improved sanitization of package metadata fields, highlighting the necessity of maintaining up-to-date security practices in desktop applications that interface with external data sources.
The security implications of this vulnerability underscore the broader challenges faced by Electron-based applications that must balance functionality with security. The combination of nodeIntegration and contextIsolation configuration settings creates a particularly dangerous environment where client-side code can directly access system resources. This vulnerability serves as a prime example of why modern application security must consider both traditional web security concerns and the unique risks introduced by desktop application frameworks. Organizations using SiYuan should immediately update to version 3.6.1 and review their package management practices to ensure that third-party packages are properly vetted before installation. The incident demonstrates the importance of implementing secure coding practices such as proper input validation, output escaping, and maintaining secure default configurations in desktop applications that handle external data. Additionally, this vulnerability highlights the need for comprehensive security testing that includes both static analysis and dynamic evaluation of application behavior when processing untrusted input from external sources.