GHSA-56mp-4f3v-fgj2: SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content
SiYuan v3.6.5 and earlier versions contain a stored cross-site scripting (XSS) vulnerability in the Attribute View (database) asset cell renderer that escalates to remote code execution (RCE) in the Electron desktop client. This is a neighbor-bug of CVE-2026-44588: the fix for -44588 used escapeAriaLabel() (double-escapes <), but the AV asset renderers were left using the weaker escapeAttr() (escapes only quotes) or no escaping at all.
Vulnerability Details
The Electron renderer is configured with nodeIntegration: true and contextIsolation: false (app/electron/main.js:307), allowing any JavaScript executing in the renderer to directly access Node.js APIs including require('child_process').
Two XSS sinks exist.
Sink 1 (Direct Stored XSS - triggers on page load)
app/src/protyle/render/av/cell.ts:1008:
text += `<span class="b3-chip avcelltext--url ariaLabel" aria-label="${escapeAttr(item.content)}" data-name="${escapeAttr(item.name)}"
data-url="${escapeAttr(item.content)}">${item.name || item.content}</span>`;
The >${item.name || item.content}</span> portion is raw user input with zero escaping.
app/src/protyle/render/av/blockAttr.ts:93 (even worse - completely unescaped):
html += <img loading="lazy" class="avcellassetimg ariaLabel" aria-label="${item.content}" src="${getCompressURL(item.content)}">;
Rendered via action.ts:860: cellElement.innerHTML = renderCell(...) results in immediate XSS on page load.
Sink 2 (Hover-triggered XSS via aria-label round-trip)
- Same lines emit aria-label="${escapeAttr(item.content)}" on .ariaLabel elements.
- escapeAttr() (util/escape.ts:14) escapes only " and ' — NOT < or >.
- popover.ts:33 global mouseover handler reads aria-label via getAttribute (which attribute-decodes entities).
- Line 144: showTooltip(decodeURIComponent(tip), ...) then tooltip.ts:41: messageElement.innerHTML = message results in XSS on hover.
Source
- app/src/protyle/render/av/asset.ts:405: addAssetLink() reads user input from a free
Details
Original advisory: https://github.com/advisories/GHSA-56mp-4f3v-fgj2
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-505510.44% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 35% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-50551 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10