Advisory Database
  • Advisories
  • Dependency Scanning
  1. golang
  2. ›
  3. github.com/siyuan-note/siyuan/kernel
  4. ›
  5. CVE-2026-54067

CVE-2026-54067: SiYuan: Stored XSS to RCE via CSS-snippet <style> breakout in renderSnippet()

July 10, 2026

A CSS snippet body containing </style> breaks out of its surrounding <style> tag when renderSnippet() interpolates it via insertAdjacentHTML. A payload like </style><img src=x onerror="..."> runs arbitrary JavaScript in the renderer. On Electron desktop builds the renderer runs with nodeIntegration:true, so require('child_process') is reachable from the injected handler and the XSS chains to host RCE. Snippets sync via the workspace repository, so an attacker with write access to any synced workspace plants the payload once and it fires on every device that pulls.

The bug also bypasses the user’s enabledCSS / enabledJS separation. A user who turned enabledJS off was making a deliberate call not to run untrusted JavaScript; the CSS path runs it anyway.

References

  • github.com/advisories/GHSA-mvjr-vv3c-w4qv
  • github.com/siyuan-note/siyuan/security/advisories/GHSA-mvjr-vv3c-w4qv
  • nvd.nist.gov/vuln/detail/CVE-2026-54067

Code Behaviors & Features

Detect and mitigate CVE-2026-54067 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 0.0.0-20260628153353-2d5d72223df4

Fixed versions

  • 0.0.0-20260628153353-2d5d72223df4

Solution

Upgrade to version 0.0.0-20260628153353-2d5d72223df4 or above.

Impact 9.9 CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Learn more about CVSS

Weakness

  • CWE-1188: Initialization of a Resource with an Insecure Default
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Source file

go/github.com/siyuan-note/siyuan/kernel/CVE-2026-54067.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Sat, 11 Jul 2026 12:16:33 +0000.