CVE-2026-50551
SiYuan v3.6.5 and earlier versions contain a stored cross-site scripting (XSS) vulnerability in the Attribute View (database) asset cell renderer that escalates to remote code execution (RCE) in the Electron desktop client. This is a neighbor-bug of CVE-2026-44588: the fix for -44588 used escapeAriaLabel() (double-escapes <), but the AV asset renderers were left using the weaker escapeAttr() (escapes only quotes) or no escaping at all.
Vulnerability Details
The Electron renderer is configured with nodeIntegration: true and contextIsolation: false (app/electron/main.js:307), allowing any JavaScript executing in the renderer to directly access Node.js APIs including require('child_process').
Two XSS sinks exist.
Sink 1 (Direct Stored XSS - triggers on page load)
app/src/protyle/render/av/cell.ts:1008:
text += `<span class="b3-chip avcelltext--url ariaLabel" aria-label="${escapeAttr(item.content)}" data-name="${escapeAttr(item.name)}"
data-url="${escapeAttr(item.content)}">${item.name || item.content}</span>`;
The >${item.name || item.content}</span> portion is raw user input with zero escaping.
app/src/protyle/render/av/blockAttr.ts:93 (even worse - completely unescaped):
html += <img loading="lazy" class="avcellassetimg ariaLabel" aria-label="${item.content}" src="${getCompressURL(item.content)}">;
Rendered via action.ts:860: cellElement.innerHTML = renderCell(...) results in immediate XSS on page load.
Sink 2 (Hover-triggered XSS via aria-label round-trip)
- Same lines emit aria-label="${escapeAttr(item.content)}" on .ariaLabel elements.
- escapeAttr() (util/escape.ts:14) escapes only " and ' — NOT < or >.
- popover.ts:33 global mouseover handler reads aria-label via getAttribute (which attribute-decodes entities).
- Line 144: showTooltip(decodeURIComponent(tip), ...) then tooltip.ts:41: messageElement.innerHTML = message results in XSS on hover.
Source
- app/src/protyle/render/av/asset.ts:405: addAssetLink() reads user input from a free
⚡ Watch CVE-2026-50551
Get an email if CVE-2026-50551 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.44% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 35% of all EPSS-scored CVEs.
Advisory coverage (1)
- criticalGHSA-56mp-4f3v-fgj2: SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Contentghsa · 2026-07-10
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-50551)