CVE-2026-50551: Stored Cross-Site Scripting to Remote Code Execution via Attribute View Asset Cell Renderer in SiYuan
Vulnerability ID: CVE-2026-50551
CVSS Score: 9.9
Published: 2026-07-10
A critical-severity stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan's Attribute View database asset cell renderer. This flaw allows low-privilege authenticated users to execute arbitrary JavaScript in the application frontend. In Electron-based desktop clients, this execution context can be leveraged to execute arbitrary native operating system commands, resulting in complete system compromise.
TL;DR
Stored XSS in SiYuan's database asset renderer allows unauthenticated remote code execution via synchronizing a maliciously crafted database in Electron clients.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-79
- Attack Vector: Network (AV:N)
- CVSS Score: 9.9 (Critical)
- Impact: Remote Code Execution (RCE)
- Exploit Status: Proof of Concept (PoC) documented
- KEV Status: Not listed
Affected Systems
- SiYuan (Desktop App & Self-hosted Server)
-
siyuan: < 3.7.0 (Fixed in:
3.7.0)
Code Analysis
Commit: 27e0051
Fix stored XSS vulnerability in Attribute View asset renderer by sanitizing asset names and attributes.
--- a/app/src/protyle/util/render.js
+++ b/app/src/protyle/util/render.js
// Dynamic concatenation replaced with secure DOM element creation APIs
Mitigation Strategies
- Upgrade the SiYuan application to version 3.7.0 or later immediately.
- Isolate self-hosted servers behind access control lists to prevent untrusted database synchronization.
- Enforce context isolation policies in desktop environments to contain potential renderer compromises.
Remediation Steps:
- Identify all deployed desktop clients and self-hosted instances of SiYuan.
- Download and install version 3.7.0 or higher from the official repository or application store.
- Verify the application version via the settings interface to ensure the patch is applied.
References
- GitHub Security Advisory GHSA-56mp-4f3v-fgj2
- NVD Vulnerability Detail
- CVE Authority Record
- Fix Merge Commit
Read the full report for CVE-2026-50551 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)