CVE-2026-59833 in SiYuaninfo

Summary

by MITRE • 07/10/2026

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, SiYuan renders note and package content to HTML through the Lute engine with sanitization enabled, but Lute's dangerous javascript scheme block does not check form action or SVG xlink:href attributes, allowing stored cross-site scripting in document export-preview and Bazaar package README render paths that can execute OS commands in the Electron desktop renderer. This issue is fixed in versions 3.7.1.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The SiYuan knowledge management system presents a critical server-side request forgery vulnerability that affects versions prior to 3.7.1, specifically within its document export-preview and Bazaar package README rendering functionalities. This vulnerability stems from the Lute engine's HTML sanitization process which fails to adequately filter dangerous javascript schemes in form action attributes and SVG xlink:href elements, creating an avenue for stored cross-site scripting attacks that can ultimately execute operating system commands within the Electron desktop renderer environment.

The technical flaw resides in the insufficient validation of HTML attributes within the Lute engine's sanitization routine, where the javascript scheme block specifically omits checks for form action and SVG xlink:href attributes. This oversight allows attackers to inject malicious content through stored XSS vectors that can leverage the Electron framework's capabilities to execute arbitrary operating system commands with the privileges of the running application. The vulnerability affects both document export-preview functionality and Bazaar package README rendering paths, creating multiple attack surfaces within the system's content management infrastructure.

The operational impact of this vulnerability extends beyond typical cross-site scripting scenarios as it enables attackers to escalate privileges through command execution capabilities inherent in the Electron desktop environment. When users view exported documents or browse Bazaar packages containing maliciously crafted HTML content, the renderer processes these inputs without adequate sanitization, potentially allowing adversaries to gain unauthorized access to system resources, execute arbitrary code, and compromise user data integrity. This represents a significant security risk for users who rely on SiYuan for sensitive personal knowledge management.

The remediation implemented in version 3.7.1 addresses this vulnerability by enhancing the Lute engine's sanitization process to properly validate form action attributes and SVG xlink:href elements against dangerous javascript schemes, thereby preventing stored XSS attacks from escalating to command execution capabilities. This fix aligns with established security practices for HTML sanitization and follows principles outlined in CWE-79 for cross-site scripting prevention and CWE-15 for proper input validation. Organizations should prioritize upgrading to SiYuan version 3.7.1 or later to mitigate this risk, while also implementing additional monitoring for suspicious content uploads that may attempt to exploit similar vulnerabilities in other components of their knowledge management infrastructure.

The vulnerability demonstrates the importance of comprehensive HTML sanitization across all attribute types within rendering engines, particularly when dealing with user-generated content in desktop applications. Security practitioners should consider this issue as part of broader application security assessments and implement multi-layered defenses including content security policies, regular security updates, and user input validation to prevent similar vulnerabilities from occurring in other systems. This case also highlights the need for thorough testing of sanitization routines against various attack vectors, particularly in environments where rendered content can interact with underlying system capabilities through frameworks like Electron.

Responsible

GitHub M

Reservation

07/07/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!