{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/go/github.com/siyuan-note/siyuan/kernel--0.0.0-20260628153353-2d5d72223df4/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.9,"id":"CVE-2026-54067"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SiYuan v3.6.5","go/github.com/siyuan-note/siyuan/kernel \u003c 0.0.0-20260628153353-2d5d72223df4"],"_cs_severities":["critical"],"_cs_tags":["xss","rce","siyuan","electron","vulnerability","remote-code-execution","cross-site-scripting"],"_cs_type":"advisory","_cs_vendors":["SiYuan"],"content_html":"\u003cp\u003eA critical stored cross-site scripting (XSS) vulnerability, tracked as CVE-2026-54067, has been identified in SiYuan, a note-taking application. This flaw affects versions up to \u003ccode\u003ego/github.com/siyuan-note/siyuan/kernel \u0026lt; 0.0.0-20260628153353-2d5d72223df4\u003c/code\u003e, including Electron desktop builds. An attacker with write access to a SiYuan workspace can exploit this by injecting a specially crafted CSS snippet containing \u003ccode\u003e\u0026lt;/style\u0026gt;\u003c/code\u003e to break out of the HTML context. The application's \u003ccode\u003erenderSnippet()\u003c/code\u003e function, using \u003ccode\u003einsertAdjacentHTML\u003c/code\u003e, fails to properly sanitize user-controlled CSS content, leading to the execution of arbitrary JavaScript. On Electron desktop clients, which are configured with \u003ccode\u003enodeIntegration:true\u003c/code\u003e, this XSS can be escalated to remote code execution (RCE) by leveraging Node.js \u003ccode\u003echild_process\u003c/code\u003e modules. The malicious snippet, once stored in the workspace configuration (\u003ccode\u003edata/snippets/conf.json\u003c/code\u003e), persists and automatically executes on every synced device upon application boot or snippet reload, without requiring user interaction, and also bypasses user-configured \u003ccode\u003eenabledJS\u003c/code\u003e settings.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains write access to a SiYuan workspace via compromised credentials, shared filesystem access, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious CSS snippet payload, such as \u003ccode\u003e\u0026lt;/style\u0026gt;\u0026lt;img src=x onerror=\u0026quot;require('child_process').execSync('open /Applications/Calculator.app')\u0026quot;\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003e/api/snippet/setSnippet\u003c/code\u003e endpoint to store this payload in the SiYuan workspace configuration, specifically in \u003ccode\u003edata/snippets/conf.json\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA victim launches or restarts their SiYuan desktop application (Electron build) which is synced with the compromised workspace.\u003c/li\u003e\n\u003cli\u003eDuring application boot or snippet reload, the SiYuan renderer fetches the malicious snippet via \u003ccode\u003e/api/snippet/getSnippet\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erenderSnippet()\u003c/code\u003e function uses \u003ccode\u003edocument.head.insertAdjacentHTML(\u0026quot;beforeend\u0026quot;, ...)\u003c/code\u003e to inject the snippet directly into a \u003ccode\u003e\u0026lt;style\u0026gt;\u003c/code\u003e tag.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e\u0026lt;/style\u0026gt;\u003c/code\u003e in the payload breaks out of the intended HTML context, causing the injected \u003ccode\u003e\u0026lt;img\u0026gt;\u003c/code\u003e tag and its \u003ccode\u003eonerror\u003c/code\u003e JavaScript attribute to be parsed and executed by the browser engine.\u003c/li\u003e\n\u003cli\u003eBecause the Electron app is configured with \u003ccode\u003enodeIntegration:true\u003c/code\u003e, the \u003ccode\u003eonerror\u003c/code\u003e handler's JavaScript can access Node.js APIs like \u003ccode\u003erequire('child_process')\u003c/code\u003e, enabling \u003ccode\u003eexecSync()\u003c/code\u003e to execute arbitrary commands, resulting in Remote Code Execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-54067 results in stored cross-site scripting (XSS) on SiYuan web, mobile, and Docker web builds, and escalates to remote code execution (RCE) on Electron desktop builds (Windows, macOS, Linux). The malicious payload executes automatically when the application boots or snippets are reloaded, requiring no further user interaction beyond having the application open. This bypasses the user's explicit intent to disable JavaScript execution, presenting a significant security risk. Any SiYuan user whose workspace has been compromised with write access is exposed to this vulnerability, leading to potential data theft, system compromise, or further network penetration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-54067 by updating SiYuan to version \u003ccode\u003e0.0.0-20260628153353-2d5d72223df4\u003c/code\u003e or later, which addresses the improper sanitization of CSS snippets.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules \u0026quot;Detect SiYuan Electron RCE via Suspicious Child Process (CVE-2026-54067) - Windows\u0026quot; and \u0026quot;Detect SiYuan Electron RCE via Suspicious Child Process (CVE-2026-54067) - macOS\u0026quot; to your endpoint detection and response (EDR) or security information and event management (SIEM) system to detect suspicious process creations originating from the SiYuan application.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eprocess_creation\u003c/code\u003e logs for the SiYuan application for any unusual child processes, especially shell interpreters (\u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003esh\u003c/code\u003e, \u003ccode\u003ebash\u003c/code\u003e) or unexpected executables.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T19:28:53Z","date_published":"2026-07-10T19:28:53Z","id":"https://feed.craftedsignal.io/briefs/2026-07-siyuan-xss-rce/","summary":"A critical stored cross-site scripting (XSS) vulnerability in SiYuan (CVE-2026-54067) allows an attacker with workspace write access to execute arbitrary JavaScript, which can escalate to remote code execution (RCE) on Electron desktop builds due to `nodeIntegration:true` settings, by injecting a malicious CSS snippet that bypasses security controls and executes automatically upon application boot.","title":"SiYuan Stored XSS to RCE via CSS Snippet Breakout (CVE-2026-54067)","url":"https://feed.craftedsignal.io/briefs/2026-07-siyuan-xss-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Go/Github.com/Siyuan-Note/Siyuan/Kernel \u003c 0.0.0-20260628153353-2d5d72223df4","version":"https://jsonfeed.org/version/1.1"}