CVE-2026-54158: Stored Cross-Site Scripting to Host Remote Code Execution in SiYuan
Vulnerability ID: CVE-2026-54158
CVSS Score: 9.9
Published: 2026-07-10
A critical-severity Stored Cross-Site Scripting (XSS) vulnerability exists in the SiYuan personal knowledge management system. Due to missing sanitization in the attribute-view cell renderer and an insecure Electron default configuration (nodeIntegration: true), attackers can execute arbitrary commands on the victim's host operating system through synchronized workspaces.
TL;DR
Missing output escaping in SiYuan's database view renderer combined with insecure Electron configurations enables attackers to escalate Stored XSS into Remote Code Execution via shared workspaces.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-79, CWE-1188
- Attack Vector: Network (AV:N)
- CVSS Score: 9.9 (Critical)
- Exploit Status: Proof-of-Concept
- Access Required: Low Privileges (PR:L)
- User Interaction: None (UI:N)
- Impact: Remote Code Execution (RCE)
Affected Systems
- SiYuan Desktop Clients (Electron)
- SiYuan Self-hosted Synced Workspaces
-
SiYuan: < 3.7.0 (Fixed in:
3.7.0)
Code Analysis
Commit: 27e0051
Fix XSS in genAVValueHTML by properly escaping text, url, phone, and mAsset attributes.
Mitigation Strategies
- Upgrade to SiYuan 3.7.0 or higher
- Disable nodeIntegration in Electron client builds
- Restrict workspace synchronization to trusted sources
Remediation Steps:
- Download the latest installer for SiYuan version 3.7.0 or newer from the official repository.
- Install the update to replace the vulnerable frontend rendering components.
- Verify that any shared workspaces do not contain modified attribute-view databases with script injections.
References
Read the full report for CVE-2026-54158 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)