<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Go/Github.com/Siyuan-Note/Siyuan/Kernel &lt; 0.0.0-20260628153353-2d5d72223df4 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/go/github.com/siyuan-note/siyuan/kernel--0.0.0-20260628153353-2d5d72223df4/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 10 Jul 2026 19:28:53 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/go/github.com/siyuan-note/siyuan/kernel--0.0.0-20260628153353-2d5d72223df4/feed.xml" rel="self" type="application/rss+xml"/><item><title>SiYuan Stored XSS to RCE via CSS Snippet Breakout (CVE-2026-54067)</title><link>https://feed.craftedsignal.io/briefs/2026-07-siyuan-xss-rce/</link><pubDate>Fri, 10 Jul 2026 19:28:53 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-siyuan-xss-rce/</guid><description>A critical stored cross-site scripting (XSS) vulnerability in SiYuan (CVE-2026-54067) allows an attacker with workspace write access to execute arbitrary JavaScript, which can escalate to remote code execution (RCE) on Electron desktop builds due to `nodeIntegration:true` settings, by injecting a malicious CSS snippet that bypasses security controls and executes automatically upon application boot.</description><content:encoded><![CDATA[<p>A critical stored cross-site scripting (XSS) vulnerability, tracked as CVE-2026-54067, has been identified in SiYuan, a note-taking application. This flaw affects versions up to <code>go/github.com/siyuan-note/siyuan/kernel &lt; 0.0.0-20260628153353-2d5d72223df4</code>, including Electron desktop builds. An attacker with write access to a SiYuan workspace can exploit this by injecting a specially crafted CSS snippet containing <code>&lt;/style&gt;</code> to break out of the HTML context. The application's <code>renderSnippet()</code> function, using <code>insertAdjacentHTML</code>, fails to properly sanitize user-controlled CSS content, leading to the execution of arbitrary JavaScript. On Electron desktop clients, which are configured with <code>nodeIntegration:true</code>, this XSS can be escalated to remote code execution (RCE) by leveraging Node.js <code>child_process</code> modules. The malicious snippet, once stored in the workspace configuration (<code>data/snippets/conf.json</code>), persists and automatically executes on every synced device upon application boot or snippet reload, without requiring user interaction, and also bypasses user-configured <code>enabledJS</code> settings.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains write access to a SiYuan workspace via compromised credentials, shared filesystem access, or other means.</li>
<li>The attacker crafts a malicious CSS snippet payload, such as <code>&lt;/style&gt;&lt;img src=x onerror=&quot;require('child_process').execSync('open /Applications/Calculator.app')&quot;&gt;</code>.</li>
<li>The attacker uses the <code>/api/snippet/setSnippet</code> endpoint to store this payload in the SiYuan workspace configuration, specifically in <code>data/snippets/conf.json</code>.</li>
<li>A victim launches or restarts their SiYuan desktop application (Electron build) which is synced with the compromised workspace.</li>
<li>During application boot or snippet reload, the SiYuan renderer fetches the malicious snippet via <code>/api/snippet/getSnippet</code>.</li>
<li>The <code>renderSnippet()</code> function uses <code>document.head.insertAdjacentHTML(&quot;beforeend&quot;, ...)</code> to inject the snippet directly into a <code>&lt;style&gt;</code> tag.</li>
<li>The <code>&lt;/style&gt;</code> in the payload breaks out of the intended HTML context, causing the injected <code>&lt;img&gt;</code> tag and its <code>onerror</code> JavaScript attribute to be parsed and executed by the browser engine.</li>
<li>Because the Electron app is configured with <code>nodeIntegration:true</code>, the <code>onerror</code> handler's JavaScript can access Node.js APIs like <code>require('child_process')</code>, enabling <code>execSync()</code> to execute arbitrary commands, resulting in Remote Code Execution.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-54067 results in stored cross-site scripting (XSS) on SiYuan web, mobile, and Docker web builds, and escalates to remote code execution (RCE) on Electron desktop builds (Windows, macOS, Linux). The malicious payload executes automatically when the application boots or snippets are reloaded, requiring no further user interaction beyond having the application open. This bypasses the user's explicit intent to disable JavaScript execution, presenting a significant security risk. Any SiYuan user whose workspace has been compromised with write access is exposed to this vulnerability, leading to potential data theft, system compromise, or further network penetration.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-54067 by updating SiYuan to version <code>0.0.0-20260628153353-2d5d72223df4</code> or later, which addresses the improper sanitization of CSS snippets.</li>
<li>Deploy the Sigma rules &quot;Detect SiYuan Electron RCE via Suspicious Child Process (CVE-2026-54067) - Windows&quot; and &quot;Detect SiYuan Electron RCE via Suspicious Child Process (CVE-2026-54067) - macOS&quot; to your endpoint detection and response (EDR) or security information and event management (SIEM) system to detect suspicious process creations originating from the SiYuan application.</li>
<li>Monitor <code>process_creation</code> logs for the SiYuan application for any unusual child processes, especially shell interpreters (<code>cmd.exe</code>, <code>powershell.exe</code>, <code>sh</code>, <code>bash</code>) or unexpected executables.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>xss</category><category>rce</category><category>siyuan</category><category>electron</category><category>vulnerability</category><category>remote-code-execution</category><category>cross-site-scripting</category></item></channel></rss>