Cross-Site Scripting Flaw in SiYuan Personal Knowledge Management System
CVE-2026-33066

5.3MEDIUM

Key Information:

Vendor: Siyuan-note
Status: Siyuan
Vendor: CVE Published:; 20 March 2026

🔔 Create Siyuan-note Vulnerability Alert

What is CVE-2026-33066?

The SiYuan personal knowledge management system contains a vulnerability in its backend render process, which permits raw HTML content within Markdown to execute without sanitization. By utilizing the lute.New() function without enabling SetSanitize(true), attackers can embed malicious JavaScript within README files. When users access these files, the unsafe HTML is rendered directly as innerHTML. Coupled with SiYuan's Electron settings that allow nodeIntegration: true and contextIsolation: false, this vulnerability could be exploited to achieve full Remote Code Execution. The issue has been addressed in version 3.6.1.

Affected Version(s)

siyuan < 3.6.1

References

https://github.com/siyuan-note/siyuan/security/advisories...

x_refsource_CONFIRM

https://github.com/siyuan-note/siyuan/commit/b382f50e1880...

x_refsource_MISC

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-33066 Data

JSON