XSS Vulnerability in SiYuan Personal Knowledge Management System
CVE-2026-33067

5.3MEDIUM

Key Information:

Vendor: Siyuan-note
Status: Siyuan
Vendor: CVE Published:; 20 March 2026

🔔 Create Siyuan-note Vulnerability Alert

What is CVE-2026-33067?

The SiYuan personal knowledge management system exposes a significant security risk due to improper handling of package metadata fields. In versions 3.6.0 and earlier, these fields are rendered using template literals without proper HTML escaping, allowing attackers to inject arbitrary HTML or JavaScript. This vulnerability can lead to complete remote code execution on the victim's operating system when the Bazaar page is accessed, due to SiYuan's Electron configuration settings that enable nodeIntegration: true and disable contextIsolation. This issue underscores the importance of security practices in template rendering and input sanitization. A patch is available in version 3.6.1, which addresses this vulnerability.

Affected Version(s)

siyuan < 3.6.1

References

https://github.com/siyuan-note/siyuan/security/advisories...

x_refsource_CONFIRM

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-33067 Data

JSON