CVE-2026-33066

CVE-2026-33066 is a cross-site scripting (XSS) vulnerability (CWE-79) in SiYuan, an open-source personal knowledge management system built with Electron. It affects versions 3.6.0 and earlier. The flaw originates in the backend's renderREADME function, which uses lute.New() without invoking SetSanitize(true), permitting raw HTML embedded in Markdown files to bypass sanitization. The frontend then inserts this unsanitized HTML directly into innerHTML without further checks, enabling arbitrary JavaScript execution. The vulnerability carries a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).

An attacker with low privileges, such as a malicious package author on a platform integrated with SiYuan, can embed JavaScript in a package's README.md file. Exploitation occurs when a victim user interacts with the application by clicking to view the package details page, triggering the malicious script. Due to SiYuan's Electron configuration—specifically nodeIntegration set to true and contextIsolation set to false—this client-side XSS escalates seamlessly to full remote code execution (RCE) on the victim's local system, potentially allowing arbitrary file access, data theft, or further compromise.

The issue was addressed in SiYuan version 3.6.1. The GitHub security advisory (GHSA-4663-4mpg-879v) and the patching commit (b382f50e1880ed996364509de5a10a72d7409428) detail the fix, which involves enabling sanitization in the lute renderer to strip dangerous HTML elements from Markdown input. Security practitioners should urge users to update to 3.6.1 or later and review Electron-based applications for similar insecure configurations.