13 matches found
EUVD-2026-39126
SiYuan: Stored XSS in Bazaar marketplace via package README event handlers...
CVE-2026-54070
CVE-2026-54070 — SiYuan : A Stored XSS in the Bazaar marketplace path arises before v3.7.0. renderPackageREADME converts Markdown READMEs to HTML using lute with SetSanitize(true), but the event-handler blocklist misses several modern handlers, allowing attributes like onpointerover, onpointerdow...
PT-2026-52110
Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.7.0 Description The renderPackageREADME function in kernel/bazaar/readme.go renders Bazaar package READMEs from Markdown to HTML using the lute engine. The sanitizer uses a blocklist that omits modern event handlers,...
SiYuan has incomplete fix for CVE-2026-33066: XSS
Summary The incomplete fix for SiYuan's bazaar README rendering enables the Lute HTML sanitizer but fails to block tags, allowing stored XSS via srcdoc attributes containing embedded scripts that execute in the Electron context. Affected Package - Ecosystem: Go - Package:...
GHSA-8Q5W-MMXF-48JG SiYuan has incomplete fix for CVE-2026-33066: XSS
Summary The incomplete fix for SiYuan's bazaar README rendering enables the Lute HTML sanitizer but fails to block tags, allowing stored XSS via srcdoc attributes containing embedded scripts that execute in the Electron context. Affected Package - Ecosystem: Go - Package:...
CVE-2026-33066 SiYuan has Stored XSS to RCE via Unsanitized Bazaar README Rendering
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the backend renderREADME function uses lute.New without calling SetSanitizetrue, allowing raw HTML embedded in Markdown to pass through unmodified. The frontend then assigns the rendered HTML to innerHTML without any...
CVE-2026-33066 SiYuan has Stored XSS to RCE via Unsanitized Bazaar README Rendering
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the backend renderREADME function uses lute.New without calling SetSanitizetrue, allowing raw HTML embedded in Markdown to pass through unmodified. The frontend then assigns the rendered HTML to innerHTML without any...
CVE-2026-33066
SiYuan CVE-2026-33066 affects versions 3.6.0 and earlier, where renderREADME can pass unsanitized HTML from Markdown to innerHTML, enabling stored XSS that escalates to RCE in Electron (nodeIntegration: true, contextIsolation: false). The incomplete fix in 3.6.1–3.6.3 allowed iframe-based XSS via...
GHSA-4663-4MPG-879V SiYuan has Stored XSS to RCE via Unsanitized Bazaar README Rendering
Stored XSS to RCE via Unsanitized Bazaar README Rendering Summary SiYuan's Bazaar community marketplace renders package README content without HTML sanitization. The backend renderREADME function uses lute.New without calling SetSanitizetrue, allowing raw HTML embedded in Markdown to pass through...
SiYuan has Stored XSS to RCE via Unsanitized Bazaar README Rendering
Stored XSS to RCE via Unsanitized Bazaar README Rendering Summary SiYuan's Bazaar community marketplace renders package README content without HTML sanitization. The backend renderREADME function uses lute.New without calling SetSanitizetrue, allowing raw HTML embedded in Markdown to pass through...
PT-2026-26188
Name of the Vulnerable Software and Affected Versions SiYuan versions 3.6.0 and earlier SiYuan versions 3.5.9 and earlier Description SiYuan is a personal knowledge management system. The backend 'renderREADME' function uses 'lute.New' without calling 'SetSanitizetrue', allowing raw HTML embedded...
CVE-2026-23525
1Panel is an open-source, web-based control panel for Linux server management. A stored Cross-Site Scripting XSS vulnerability exists in the 1Panel App Store when viewing application details. Malicious scripts can execute in the context of the user’s browser, potentially compromising session data...
CVE-2023-1767
The Snyk Advisor website https://snyk.io/advisor/ was vulnerable to a stored XSS prior to 28th March 2023. A feature of Snyk Advisor is to display the contents of a scanned package's Readme on its package health page. An attacker could create a package in NPM with an associated markdown README fi...