3 matches found
SiYuan has incomplete fix for CVE-2026-33066: XSS
Summary The incomplete fix for SiYuan's bazaar README rendering enables the Lute HTML sanitizer but fails to block tags, allowing stored XSS via srcdoc attributes containing embedded scripts that execute in the Electron context. Affected Package - Ecosystem: Go - Package:...
CVE-2026-33066
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the backend renderREADME function uses lute.New without calling SetSanitizetrue, allowing raw HTML embedded in Markdown to pass through unmodified. The frontend then assigns the rendered HTML to innerHTML without any...
CVE-2026-33066
creationtimestamp| type| source ---|---|--- 2026-03-17 00:49:21+00:00| published-proof-of-concept| https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4663-4mpg-879v 2026-03-20 09:58:06+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mhiawcd5np27 2026-04-17 03:38:28+00:00...