AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-4663-4mpg-879v: SiYuan has Stored XSS to RCE via Unsanitized Bazaar README Rendering

mediumvulnerability

security

Source: GitHub Advisory DatabaseMarch 18, 2026CVE-2026-33066

Summary

SiYuan's Bazaar (a community marketplace for plugins and themes) renders package README files without sanitizing HTML, allowing malicious package authors to embed JavaScript that runs when users view package details. Because SiYuan runs on Electron (a framework for building desktop apps) with `nodeIntegration: true` (allowing JavaScript to access system-level commands), this vulnerability escalates from XSS (cross-site scripting, where attackers inject malicious code into web pages) to full remote code execution (the ability to run any command on the user's computer).

Solution / Mitigation

Update to SiYuan version 3.5.10 or later. The vulnerability affects SiYuan <= 3.5.9.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

March 18, 2026

Classification

Attack SophisticationTrivial

Affected Packages

github.com/siyuan-note/siyuan/kernel@< 0.0.0-20260314111550-b382f50e1880 (fixed: 0.0.0-20260314111550-b382f50e1880)

Original source: https://github.com/advisories/GHSA-4663-4mpg-879v

First tracked: March 18, 2026 at 01:00 PM

Classified by LLM (prompt v3) · confidence: 95%