DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-50551: CVE-2026-50551: Stored Cross-Site Scripting to Remote Code Execution via Attribute View Asset Cell Renderer in SiYuan

CVE-2026-50551: Stored Cross-Site Scripting to Remote Code Execution via Attribute View Asset Cell Renderer in SiYuan

Vulnerability ID: CVE-2026-50551
CVSS Score: 9.9
Published: 2026-07-10

A critical-severity stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan's Attribute View database asset cell renderer. This flaw allows low-privilege authenticated users to execute arbitrary JavaScript in the application frontend. In Electron-based desktop clients, this execution context can be leveraged to execute arbitrary native operating system commands, resulting in complete system compromise.

TL;DR

Stored XSS in SiYuan's database asset renderer allows unauthenticated remote code execution via synchronizing a maliciously crafted database in Electron clients.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network (AV:N)
  • CVSS Score: 9.9 (Critical)
  • Impact: Remote Code Execution (RCE)
  • Exploit Status: Proof of Concept (PoC) documented
  • KEV Status: Not listed

Affected Systems

  • SiYuan (Desktop App & Self-hosted Server)
  • siyuan: < 3.7.0 (Fixed in: 3.7.0)

Code Analysis

Commit: 27e0051

Fix stored XSS vulnerability in Attribute View asset renderer by sanitizing asset names and attributes.

--- a/app/src/protyle/util/render.js
+++ b/app/src/protyle/util/render.js
// Dynamic concatenation replaced with secure DOM element creation APIs
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade the SiYuan application to version 3.7.0 or later immediately.
  • Isolate self-hosted servers behind access control lists to prevent untrusted database synchronization.
  • Enforce context isolation policies in desktop environments to contain potential renderer compromises.

Remediation Steps:

  1. Identify all deployed desktop clients and self-hosted instances of SiYuan.
  2. Download and install version 3.7.0 or higher from the official repository or application store.
  3. Verify the application version via the settings interface to ensure the patch is applied.

References


Read the full report for CVE-2026-50551 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)