CVE-2026-33067: SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata

March 18, 2026 (updated March 20, 2026)

SiYuan’s Bazaar (community marketplace) renders package metadata fields (displayName, description) using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which executes automatically when any user browses the Bazaar page. Because SiYuan’s Electron configuration enables nodeIntegration: true with contextIsolation: false, this XSS escalates directly to full Remote Code Execution on the victim’s operating system — with zero user interaction beyond opening the marketplace tab.

References

github.com/advisories/GHSA-mvpm-v6q4-m2pf
github.com/siyuan-note/siyuan
github.com/siyuan-note/siyuan/security/advisories/GHSA-mvpm-v6q4-m2pf
nvd.nist.gov/vuln/detail/CVE-2026-33067

Code Behaviors & Features

Detect and mitigate CVE-2026-33067 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →