CVE-2026-33067
Published: 20 March 2026
Summary
CVE-2026-33067 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in B3Log Siyuan. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 26.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Prevents XSS attacks by filtering untrusted package metadata outputs like displayName and description before rendering them on the Bazaar page using template literals.
Validates package metadata inputs from the Bazaar marketplace to block malicious HTML/JavaScript injections by package authors.
Addresses the vulnerability through timely flaw remediation by applying patches such as the fix implemented in SiYuan version 3.6.1.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS in Electron client app (nodeIntegration enabled) directly enables client-side exploitation for arbitrary code execution (T1203); resulting RCE allows use of command/script interpreters (T1059).
NVD Description
SiYuan is a personal knowledge management system. Versions 3.6.0 and below render package metadata fields (displayName, description) using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which executes automatically when any user…
more
browses the Bazaar page. Because SiYuan's Electron configuration enables nodeIntegration: true with contextIsolation: false, this XSS escalates directly to full Remote Code Execution on the victim's operating system — with zero user interaction beyond opening the marketplace tab. This issue has been fixed in version 3.6.1.
Deeper analysisAI
CVE-2026-33067 is a cross-site scripting (XSS) vulnerability (CWE-79) in SiYuan, a personal knowledge management system built on Electron. Versions 3.6.0 and prior render package metadata fields, such as displayName and description, using template literals without proper HTML escaping. This allows injected arbitrary HTML and JavaScript to execute when users access the Bazaar marketplace page. The vulnerability carries a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).
A malicious package author with low privileges can exploit this by embedding malicious payloads in the affected metadata fields of a package published to the Bazaar marketplace. Any SiYuan user who browses the Bazaar page triggers automatic execution of the injected JavaScript. Due to SiYuan's Electron configuration enabling nodeIntegration: true and contextIsolation: false, the XSS escalates to full remote code execution (RCE) on the victim's operating system, requiring no further interaction beyond opening the marketplace tab.
The GitHub Security Advisory (GHSA-mvpm-v6q4-m2pf) confirms the issue has been addressed in SiYuan version 3.6.1. Security practitioners should urge users to update to 3.6.1 or later and avoid browsing untrusted packages in the Bazaar until patched.
Details
- CWE(s)