CVE-2026-54070: Stored Cross-Site Scripting via Modern HTML5 Event Handler Bypass in SiYuan Bazaar
Vulnerability ID: CVE-2026-54070
CVSS Score: 7.1
Published: 2026-07-10
A high-severity Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan prior to version 3.7.0. The vulnerability is located within the server-side Markdown-to-HTML parsing component for the Bazaar marketplace packages. Due to an incomplete event-handler attribute blocklist in the lute parsing engine and a lack of client-side DOM sanitization, malicious package authors can bypass restrictions using modern HTML5 event handlers. When an authenticated administrator views a malicious package, the embedded JavaScript runs in the administrator origin, allowing unauthorized workspace access, local file reading, and remote API execution.
TL;DR
Stored XSS in SiYuan's Bazaar package rendering component allows unauthenticated attackers to execute arbitrary JavaScript in the context of the administrator origin, leading to complete workspace compromise.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-79 / CWE-184
- Attack Vector: Network
- CVSS Score: 7.1 (High)
- EPSS Score: 0.0018 (Percentile: 7.75%)
- Impact: Stored Cross-Site Scripting (XSS)
- Exploit Status: poc
- KEV Status: Not Listed
Affected Systems
- SiYuan Note-Taking Application
-
SiYuan: < 3.7.0 (Fixed in:
3.7.0)
Code Analysis
Commit: 27e0051
Fix sanitization bypass inside package README renderer in Lute markdown parser
Exploit Details
- GitHub Security Advisory: Documented proof of concept outlining exploitation via pointer and animation events.
Mitigation Strategies
- Upgrade SiYuan to version 3.7.0 or above
- Block outbound application requests to unauthorized public package registries
- Avoid browsing third-party marketplace listings until the application is updated
Remediation Steps:
- Identify all deployed SiYuan application instances and verify current versions.
- Download the release package for version 3.7.0 or newer from the official distribution channel.
- Install the update, restart the local service, and confirm the version display in Settings -> About.
- Monitor outbound server logs for unexpected HTTP requests to unknown external domains.
References
- GitHub Security Advisory GHSA-w7cg-whh7-xp28
- NVD CVE-2026-54070 Detail
- SiYuan Fix Commit 27e0051e0d067892e833df1063cb2fb469600e98
- CVE-2026-54070 Record
Read the full report for CVE-2026-54070 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)