CVE-2026-40922 Overview
CVE-2026-40922 is a Cross-Site Scripting (XSS) vulnerability in SiYuan, an open-source personal knowledge management system. This vulnerability represents an incomplete fix bypass for a previously patched XSS issue (CVE-2026-33066). The flaw exists in the bazaar README rendering functionality where the Lute HTML sanitizer fails to block iframe tags and does not effectively filter srcdoc attributes containing raw HTML rather than URLs.
A malicious bazaar package author can craft a README file containing an iframe element with a srcdoc attribute embedding malicious scripts. When unsuspecting users browse the package in SiYuan's marketplace UI, the payload executes within the Electron context with full application privileges, enabling arbitrary code execution on the victim's machine.
Critical Impact
This vulnerability allows remote attackers to execute arbitrary code on users' machines through malicious marketplace packages, compromising the full Electron application context and potentially gaining complete system access.
Affected Products
- B3log SiYuan versions 3.6.1 through 3.6.3
- SiYuan Desktop Application (Electron-based)
- SiYuan Bazaar/Marketplace Component
Discovery Timeline
- 2026-04-17 - CVE CVE-2026-40922 published to NVD
- 2026-04-20 - Last updated in NVD database
Technical Details for CVE-2026-40922
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-Site Scripting). The root issue stems from an incomplete security fix that was implemented to address a prior XSS vulnerability (CVE-2026-33066).
The prior fix enabled the Lute HTML sanitizer to prevent XSS attacks in bazaar README rendering. However, the sanitizer implementation has two critical gaps: it does not block iframe tags entirely, and its URL-prefix blocklist approach fails to account for srcdoc attributes. Unlike standard URL-based attributes like src, the srcdoc attribute contains raw HTML content directly embedded within the attribute value, which completely bypasses URL-based filtering mechanisms.
When SiYuan renders README content from bazaar packages in its Electron-based marketplace UI, any embedded scripts within srcdoc attributes execute with the full privileges of the Electron application context. This elevation from web context to application context transforms what might be a typical XSS vulnerability into a full remote code execution scenario.
Root Cause
The vulnerability originates from the Lute HTML sanitizer's incomplete tag blocklist and its reliance on URL-prefix filtering that cannot effectively sanitize the srcdoc attribute. The srcdoc attribute embeds complete HTML documents as raw content, meaning URL-based sanitization approaches are fundamentally ineffective against this attack vector. The sanitizer needed to either block iframe tags entirely or implement content-aware sanitization for srcdoc attributes.
Attack Vector
The attack requires network access and involves user interaction through the marketplace browsing experience. An attacker with the ability to publish packages to the SiYuan bazaar can embed malicious content in their package's README file.
The exploitation flow involves embedding an iframe element within the README markdown content. This iframe uses the srcdoc attribute to contain a complete HTML payload including script tags. When a victim browses the marketplace and views the malicious package, SiYuan's README renderer processes the content through the insufficient sanitizer, allowing the iframe and its embedded content to render. The scripts within srcdoc then execute in the Electron context, providing the attacker with application-level privileges that can be leveraged for arbitrary code execution on the underlying system.
Detection Methods for CVE-2026-40922
Indicators of Compromise
- Presence of iframe tags with srcdoc attributes in bazaar package README files
- Unexpected JavaScript execution or process spawning from the SiYuan application
- Anomalous network connections originating from the SiYuan Electron process
- Unusual file system modifications made by the SiYuan application process
Detection Strategies
- Monitor SiYuan application logs for errors related to script execution during marketplace browsing
- Implement content scanning for downloaded bazaar packages to detect iframe elements with srcdoc attributes
- Deploy endpoint detection rules to flag unexpected child processes spawned by Electron applications
- Review installed bazaar packages for suspicious README content patterns
Monitoring Recommendations
- Configure application-level logging to capture HTML rendering events in the marketplace component
- Implement real-time monitoring for SiYuan process behavior anomalies
- Enable network traffic analysis for unexpected outbound connections from SiYuan
- Establish baseline behavior profiles for the SiYuan application to detect deviations
How to Mitigate CVE-2026-40922
Immediate Actions Required
- Upgrade SiYuan to version 3.6.4 or later immediately
- Avoid browsing the SiYuan bazaar/marketplace until the upgrade is complete
- Review recently installed bazaar packages for suspicious content
- Consider temporarily disabling bazaar functionality if immediate upgrade is not possible
Patch Information
The vulnerability has been fixed in SiYuan version 3.6.4. The patch is available through the official GitHub release. The fix is implemented in commit b382f50e1880ed996364509de5a10a72d7409428, which properly addresses the iframe and srcdoc attribute sanitization gaps. Users should update through their normal application update process or download the latest release directly from the official repository.
For detailed technical information about the vulnerability and fix, refer to the GitHub Security Advisory.
Workarounds
- Disable or avoid using the bazaar/marketplace feature until the patch is applied
- Block network access to bazaar repository servers at the firewall level as a temporary measure
- Use SiYuan in offline mode to prevent exposure to malicious marketplace content
- Implement application sandboxing to limit the impact of potential exploitation
# Verify SiYuan version after upgrade
# The version should be 3.6.4 or higher
# Check Help > About in SiYuan or verify the installed version
siyuan --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
