Summary
SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content
Full technical description
SiYuan v3.6.5 and earlier versions contain a stored cross-site scripting (XSS) vulnerability in the Attribute View (database) asset cell renderer that escalates to remote code execution (RCE) in the Electron desktop client. This is a neighbor-bug of CVE-2026-44588: the fix for -44588 used escapeAriaLabel() (double-escapes <), but the AV asset renderers were left using the weaker escapeAttr() (escapes only quotes) or no escaping at all.
Vulnerability Details
The Electron renderer is configured with nodeIntegration: true and contextIsolation: false (app/electron/main.js:307), allowing any JavaScript executing in the renderer to directly access Node.js APIs including require('child_process').
Two XSS sinks exist.
Sink 1 (Direct Stored XSS - triggers on page load)
app/src/protyle/render/av/cell.ts:1008:
text += `<span class="b3-chip av__celltext--url ariaLabel" aria-label="${escapeAttr(item.content)}" data-name="${escapeAttr(item.name)}"
data-url="${escapeAttr(item.content)}">${item.name || item.content}`;
The >${item.name || item.content}</span> portion is raw user input with zero escaping.
app/src/protyle/render/av/blockAttr.ts:93 (even worse - completely unescaped):
html += `<img loading="lazy" class="av__cellassetimg ariaLabel" aria-label="${item.content}" src="${getCompressURL(item.content)}">`;
Rendered via action.ts:860: cellElement.innerHTML = renderCell(...) results in immediate XSS on page load.
Sink 2 (Hover-triggered XSS via aria-label round-trip)
- Same lines emit
aria-label="${escapeAttr(item.content)}"on.ariaLabelelements. escapeAttr()(util/escape.ts:14) escapes only"and', NOT<or>.popover.ts:33global mouseover handler readsaria-labelviagetAttribute(which attribute-decodes entities).- Line 144:
showTooltip(decodeURIComponent(tip), ...)thentooltip.ts:41:messageElement.innerHTML = messageresults in XSS on hover.
Source
app/src/protyle/render/av/asset.ts:405:addAssetLink()reads user input from a free-form<textarea>with no sanitization.- Kernel stores
MAsset.Contentraw (kernel/av/value.go:53), no server-side sanitization.
Attack Vector
- Attacker creates a malicious note containing an Attribute View (database).
- Attacker adds an asset cell with link content:
<img src=x onerror=require('child_process').exec('calc')> - Victim opens the note for immediate RCE (Sink 1), or hovers over the cell for RCE (Sink 2).
- In a sync/collaboration scenario, the malicious note propagates to all users.
Proof of Concept
Payload (Direct XSS), in an AV asset cell link field, enter:
<img src=x onerror=alert(document.domain)>
For RCE in Electron desktop:
<img src=x onerror=require('child_process').exec('calc')>
Steps to Reproduce
- Open SiYuan desktop app (v3.6.5).
- Create a new document.
- Insert an Attribute View (database):
/then select "Table". - Add a column of type "Asset".
- Click the asset cell, then "Add Link".
- In the "Link" textarea, paste:
<img src=x onerror=alert(1)> - Leave "Title" empty or fill with benign text.
- Click outside the dialog to save.
- Observe: Alert fires immediately (Sink 1). Hovering over the cell also triggers (Sink 2).
Impact
- Remote Code Execution on victim's system via malicious note sync/import.
- Data exfiltration: attacker can read all notes, access filesystem, steal credentials.
- Persistence: malicious payload stored in
.syfiles, executes on every open.
Suggested Fix
- Replace
escapeAttr()withescapeAriaLabel()for allaria-labelattributes in AV cell renderers. - Escape
item.nameanditem.contentwithescapeHtml()before concatenating into element text content.
Affected files: app/src/protyle/render/av/cell.ts, app/src/protyle/render/av/blockAttr.ts, app/src/protyle/render/av/asset.ts.
Additional Context
This vulnerability is a neighbor-bug of CVE-2026-44588. The fix for -44588 correctly used escapeAriaLabel() (which double-escapes < to survive the attribute -> getAttribute -> innerHTML round-trip), but the AV asset cell renderers were left using the weaker escapeAttr() or no escaping. This is part of a pattern of incomplete fixes in SiYuan (see also CVE-2026-33066, CVE-2026-29183). The long-term fix should set ElectroncontextIsolation: true and nodeIntegration: false.
Report
Reporter (GitHub: Yunkaiwjs).
Impact
Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.
CVE-2026-50551 has a CVSS score of 9.9 (Critical). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.0.0-20260628153353-2d5d72223df4); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-50551? CVE-2026-50551 is a critical-severity cross-site scripting (XSS) vulnerability in github.com/siyuan-note/siyuan/kernel (go), affecting versions < 0.0.0-20260628153353-2d5d72223df4. It is fixed in 0.0.0-20260628153353-2d5d72223df4. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
- How severe is CVE-2026-50551? CVE-2026-50551 has a CVSS score of 9.9 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/siyuan-note/siyuan/kernel are affected by CVE-2026-50551? github.com/siyuan-note/siyuan/kernel (go) versions < 0.0.0-20260628153353-2d5d72223df4 is affected.
- Is there a fix for CVE-2026-50551? Yes. CVE-2026-50551 is fixed in 0.0.0-20260628153353-2d5d72223df4. Upgrade to this version or later.
- Is CVE-2026-50551 exploitable, and should I be worried? Whether CVE-2026-50551 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-50551 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-50551? Upgrade
github.com/siyuan-note/siyuan/kernelto 0.0.0-20260628153353-2d5d72223df4 or later.