CVE-2026-33066
Published: 20 March 2026
Summary
CVE-2026-33066 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in B3Log Siyuan. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 26.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires filtering of rendered HTML output from unsanitized Markdown to prevent injection of arbitrary JavaScript via innerHTML assignment.
Mandates validation and sanitization of Markdown inputs from external packages to block raw HTML that bypasses the lute renderer sanitization.
Enforces secure Electron configuration settings such as contextIsolation: true and nodeIntegration: false to prevent XSS from escalating to full RCE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The XSS vulnerability enables arbitrary JavaScript execution in an Electron app with insecure configuration (nodeIntegration: true, contextIsolation: false), leading to RCE upon user interaction when viewing a malicious package's README.md, directly facilitating Exploitation for Client Execution (T1203).
NVD Description
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the backend renderREADME function uses lute.New() without calling SetSanitize(true), allowing raw HTML embedded in Markdown to pass through unmodified. The frontend then assigns the rendered HTML to innerHTML…
more
without any additional sanitization. A malicious package author can embed arbitrary JavaScript in their README that executes when a user clicks to view the package details. Because SiYuan's Electron configuration enables nodeIntegration: true with contextIsolation: false, this XSS escalates directly to full Remote Code Execution. The issue was patched in version 3.6.1.
Deeper analysisAI
CVE-2026-33066 is a cross-site scripting (XSS) vulnerability (CWE-79) in SiYuan, an open-source personal knowledge management system built with Electron. It affects versions 3.6.0 and earlier. The flaw originates in the backend's renderREADME function, which uses lute.New() without invoking SetSanitize(true), permitting raw HTML embedded in Markdown files to bypass sanitization. The frontend then inserts this unsanitized HTML directly into innerHTML without further checks, enabling arbitrary JavaScript execution. The vulnerability carries a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).
An attacker with low privileges, such as a malicious package author on a platform integrated with SiYuan, can embed JavaScript in a package's README.md file. Exploitation occurs when a victim user interacts with the application by clicking to view the package details page, triggering the malicious script. Due to SiYuan's Electron configuration—specifically nodeIntegration set to true and contextIsolation set to false—this client-side XSS escalates seamlessly to full remote code execution (RCE) on the victim's local system, potentially allowing arbitrary file access, data theft, or further compromise.
The issue was addressed in SiYuan version 3.6.1. The GitHub security advisory (GHSA-4663-4mpg-879v) and the patching commit (b382f50e1880ed996364509de5a10a72d7409428) detail the fix, which involves enabling sanitization in the lute renderer to strip dangerous HTML elements from Markdown input. Security practitioners should urge users to update to 3.6.1 or later and review Electron-based applications for similar insecure configurations.
Details
- CWE(s)