Description

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the backend renderREADME function uses lute.New() without calling SetSanitize(true), allowing raw HTML embedded in Markdown to pass through unmodified. The frontend then assigns the rendered HTML to innerHTML without any additional sanitization. A malicious package author can embed arbitrary JavaScript in their README that executes when a user clicks to view the package details. Because SiYuan's Electron configuration enables nodeIntegration: true with contextIsolation: false, this XSS escalates directly to full Remote Code Execution. The issue was patched in version 3.6.1.

INFO

Published Date :

2026-03-20T08:11:52.675Z

Last Modified :

2026-03-20T21:23:07.778Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33066 vulnerability.

Vendors Products
B3log
  • Siyuan
Siyuan
  • Siyuan
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33066.

URL Resource
https://github.com/siyuan-note/siyuan/commit/b382f50e1880ed996364509de5a10a72d7409428 cve-icon cve-icon
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4663-4mpg-879v cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact