CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-56mp-4f3v-fgj2: SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content

criticalCVSS 9.9CVE-2026-50551
SiYuan v3.6.5 and earlier versions contain a stored cross-site scripting (XSS) vulnerability in the Attribute View (database) asset cell renderer that escalates to remote code execution (RCE) in the Electron desktop client. This is a neighbor-bug of CVE-2026-44588: the fix for -44588 used escapeAriaLabel() (double-escapes <), but the AV asset renderers were left using the weaker escapeAttr() (escapes only quotes) or no escaping at all. Vulnerability Details The Electron renderer is configured with nodeIntegration: true and contextIsolation: false (app/electron/main.js:307), allowing any JavaScript executing in the renderer to directly access Node.js APIs including require('child_process'). Two XSS sinks exist. Sink 1 (Direct Stored XSS - triggers on page load) app/src/protyle/render/av/cell.ts:1008: text += `<span class="b3-chip avcelltext--url ariaLabel" aria-label="${escapeAttr(item.content)}" data-name="${escapeAttr(item.name)}" data-url="${escapeAttr(item.content)}">${item.name || item.content}</span>`; The >${item.name || item.content}</span> portion is raw user input with zero escaping. app/src/protyle/render/av/blockAttr.ts:93 (even worse - completely unescaped): html += <img loading="lazy" class="avcellassetimg ariaLabel" aria-label="${item.content}" src="${getCompressURL(item.content)}">; Rendered via action.ts:860: cellElement.innerHTML = renderCell(...) results in immediate XSS on page load. Sink 2 (Hover-triggered XSS via aria-label round-trip) - Same lines emit aria-label="${escapeAttr(item.content)}" on .ariaLabel elements. - escapeAttr() (util/escape.ts:14) escapes only " and ' — NOT < or >. - popover.ts:33 global mouseover handler reads aria-label via getAttribute (which attribute-decodes entities). - Line 144: showTooltip(decodeURIComponent(tip), ...) then tooltip.ts:41: messageElement.innerHTML = message results in XSS on hover. Source - app/src/protyle/render/av/asset.ts:405: addAssetLink() reads user input from a free

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
critical — CVSS 9.9
Published
2026-07-10
Last updated
2026-07-10
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-56mp-4f3v-fgj2

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-50551coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories