DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-54070: CVE-2026-54070: Stored Cross-Site Scripting via Modern HTML5 Event Handler Bypass in SiYuan Bazaar

CVE-2026-54070: Stored Cross-Site Scripting via Modern HTML5 Event Handler Bypass in SiYuan Bazaar

Vulnerability ID: CVE-2026-54070
CVSS Score: 7.1
Published: 2026-07-10

A high-severity Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan prior to version 3.7.0. The vulnerability is located within the server-side Markdown-to-HTML parsing component for the Bazaar marketplace packages. Due to an incomplete event-handler attribute blocklist in the lute parsing engine and a lack of client-side DOM sanitization, malicious package authors can bypass restrictions using modern HTML5 event handlers. When an authenticated administrator views a malicious package, the embedded JavaScript runs in the administrator origin, allowing unauthorized workspace access, local file reading, and remote API execution.

TL;DR

Stored XSS in SiYuan's Bazaar package rendering component allows unauthenticated attackers to execute arbitrary JavaScript in the context of the administrator origin, leading to complete workspace compromise.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79 / CWE-184
  • Attack Vector: Network
  • CVSS Score: 7.1 (High)
  • EPSS Score: 0.0018 (Percentile: 7.75%)
  • Impact: Stored Cross-Site Scripting (XSS)
  • Exploit Status: poc
  • KEV Status: Not Listed

Affected Systems

  • SiYuan Note-Taking Application
  • SiYuan: < 3.7.0 (Fixed in: 3.7.0)

Code Analysis

Commit: 27e0051

Fix sanitization bypass inside package README renderer in Lute markdown parser

Exploit Details

Mitigation Strategies

  • Upgrade SiYuan to version 3.7.0 or above
  • Block outbound application requests to unauthorized public package registries
  • Avoid browsing third-party marketplace listings until the application is updated

Remediation Steps:

  1. Identify all deployed SiYuan application instances and verify current versions.
  2. Download the release package for version 3.7.0 or newer from the official distribution channel.
  3. Install the update, restart the local service, and confirm the version display in Settings -> About.
  4. Monitor outbound server logs for unexpected HTTP requests to unknown external domains.

References


Read the full report for CVE-2026-54070 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)