SiYuan Stored XSS to RCE via CSS Snippet Breakout (CVE-2026-54067)
A critical stored cross-site scripting (XSS) vulnerability in SiYuan (CVE-2026-54067) allows an attacker with workspace write access to execute arbitrary JavaScript, which can escalate to remote code execution (RCE) on Electron desktop builds due to `nodeIntegration:true` settings, by injecting a malicious CSS snippet that bypasses security controls and executes automatically upon application boot.
A critical stored cross-site scripting (XSS) vulnerability, tracked as CVE-2026-54067, has been identified in SiYuan, a note-taking application. This flaw affects versions up to go/github.com/siyuan-note/siyuan/kernel < 0.0.0-20260628153353-2d5d72223df4, including Electron desktop builds. An attacker with write access to a SiYuan workspace can exploit this by injecting a specially crafted CSS snippet containing </style> to break out of the HTML context. The application's renderSnippet() function, using insertAdjacentHTML, fails to properly sanitize user-controlled CSS content, leading to the execution of arbitrary JavaScript. On Electron desktop clients, which are configured with nodeIntegration:true, this XSS can be escalated to remote code execution (RCE) by leveraging Node.js child_process modules. The malicious snippet, once stored in the workspace configuration (data/snippets/conf.json), persists and automatically executes on every synced device upon application boot or snippet reload, without requiring user interaction, and also bypasses user-configured enabledJS settings.
Attack Chain
- An attacker gains write access to a SiYuan workspace via compromised credentials, shared filesystem access, or other means.
- The attacker crafts a malicious CSS snippet payload, such as
</style><img src=x onerror="require('child_process').execSync('open /Applications/Calculator.app')">. - The attacker uses the
/api/snippet/setSnippetendpoint to store this payload in the SiYuan workspace configuration, specifically indata/snippets/conf.json. - A victim launches or restarts their SiYuan desktop application (Electron build) which is synced with the compromised workspace.
- During application boot or snippet reload, the SiYuan renderer fetches the malicious snippet via
/api/snippet/getSnippet. - The
renderSnippet()function usesdocument.head.insertAdjacentHTML("beforeend", ...)to inject the snippet directly into a<style>tag. - The
</style>in the payload breaks out of the intended HTML context, causing the injected<img>tag and itsonerrorJavaScript attribute to be parsed and executed by the browser engine. - Because the Electron app is configured with
nodeIntegration:true, theonerrorhandler's JavaScript can access Node.js APIs likerequire('child_process'), enablingexecSync()to execute arbitrary commands, resulting in Remote Code Execution.
Impact
Successful exploitation of CVE-2026-54067 results in stored cross-site scripting (XSS) on SiYuan web, mobile, and Docker web builds, and escalates to remote code execution (RCE) on Electron desktop builds (Windows, macOS, Linux). The malicious payload executes automatically when the application boots or snippets are reloaded, requiring no further user interaction beyond having the application open. This bypasses the user's explicit intent to disable JavaScript execution, presenting a significant security risk. Any SiYuan user whose workspace has been compromised with write access is exposed to this vulnerability, leading to potential data theft, system compromise, or further network penetration.
Recommendation
- Patch CVE-2026-54067 by updating SiYuan to version
0.0.0-20260628153353-2d5d72223df4or later, which addresses the improper sanitization of CSS snippets. - Deploy the Sigma rules "Detect SiYuan Electron RCE via Suspicious Child Process (CVE-2026-54067) - Windows" and "Detect SiYuan Electron RCE via Suspicious Child Process (CVE-2026-54067) - macOS" to your endpoint detection and response (EDR) or security information and event management (SIEM) system to detect suspicious process creations originating from the SiYuan application.
- Monitor
process_creationlogs for the SiYuan application for any unusual child processes, especially shell interpreters (cmd.exe,powershell.exe,sh,bash) or unexpected executables.
Detection coverage 2
Detect SiYuan Electron RCE via Suspicious Child Process (CVE-2026-54067) - Windows
criticalDetects CVE-2026-54067 exploitation where a malicious CSS snippet in SiYuan's Electron app uses `child_process.execSync` to execute arbitrary commands, leading to RCE by monitoring for suspicious child processes spawned by SiYuan on Windows.
Detect SiYuan Electron RCE via Suspicious Child Process (CVE-2026-54067) - macOS
criticalDetects CVE-2026-54067 exploitation where a malicious CSS snippet in SiYuan's Electron app uses `child_process.execSync` to execute arbitrary commands, leading to RCE by monitoring for suspicious child processes spawned by SiYuan on macOS.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
1
docker-image
2
payload
1
url
| Type | Value |
|---|---|
| url | http://localhost:16806/api/snippet/setSnippet |
| payload | </style><img src=x onerror="document.title=\"SIYUAN_XSS\";window.__siyuan_xss=true"> |
| payload | <img src=x onerror="require('child_process').execSync('open /Applications/Calculator.app')"> |
| docker-image | b3log/siyuan:latest |