Plataforma
go
Componente
siyuan-note
Corrigido em
3.6.5
0.0.0-20260414013942-62eed37a3263
CVE-2026-40922 describes a stored Cross-Site Scripting (XSS) vulnerability within the SiYuan note-taking application. This flaw arises from an incomplete fix regarding the rendering of bazaar (marketplace) README files, allowing attackers to inject malicious scripts. The vulnerability affects versions 3.6.1 through 3.6.4 and can lead to arbitrary code execution within the application's Electron context. A fix has been released in version 3.6.4.
Successful exploitation of CVE-2026-40922 allows an attacker to inject arbitrary JavaScript code into the SiYuan application. This code executes within the context of the user's session, granting the attacker the ability to steal sensitive data, modify notes, or even take control of the application. The attack vector involves crafting a malicious bazaar README file containing an <iframe> tag with a srcdoc attribute that includes embedded JavaScript. When a user views this README file within SiYuan, the injected script will execute. The blast radius extends to all users who install and view malicious bazaar packages, potentially compromising their entire note collection and associated data.
CVE-2026-40922 was publicly disclosed on 2026-04-16. Currently, there are no publicly available proof-of-concept exploits. The vulnerability is tracked on the NVD and CISA websites. The EPSS score is pending evaluation, but the potential for stored XSS in a note-taking application suggests a medium to high probability of exploitation if a readily available exploit is developed.
Users of SiYuan who rely on bazaar packages for extensions or themes are at particular risk. This includes users who frequently install packages from untrusted sources or those who share their SiYuan data with others. Legacy configurations or deployments with outdated security practices are also more vulnerable.
• linux / server: Monitor SiYuan's log files for unusual activity related to bazaar package rendering. Look for patterns indicative of HTML injection attempts.
grep -i "<iframe>" /path/to/siyuan/logs/readme.log• generic web: Inspect network traffic for requests to SiYuan's bazaar endpoints with suspicious parameters or payloads.
curl -v <siyuan_url>/api/bazaar/packages | grep <iframe>disclosure
Status do Exploit
EPSS
0.03% (percentil 10%)
CISA SSVC
The primary mitigation for CVE-2026-40922 is to upgrade SiYuan to version 3.6.4 or later, which includes the complete fix for the README rendering vulnerability. If upgrading immediately is not feasible, consider temporarily disabling the installation of bazaar packages from untrusted sources. While a direct workaround isn't available, carefully reviewing the source of any bazaar packages before installation can help prevent exploitation. After upgrading, confirm the fix by attempting to install a known malicious bazaar package (if available) and verifying that the injected script does not execute.
Actualice a la versión 3.6.4 o posterior para mitigar la vulnerabilidad. Esta versión corrige la sanitización incompleta de las etiquetas iframe en el README de los paquetes de bazaar, previniendo la ejecución de código malicioso en el contexto de la aplicación.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-40922 is a stored XSS vulnerability in SiYuan versions 3.6.1 through 3.6.4, allowing attackers to inject malicious scripts via bazaar README files.
You are affected if you are using SiYuan versions 3.6.1, 3.6.2, 3.6.3, or 3.6.4 and utilize bazaar packages.
Upgrade SiYuan to version 3.6.4 or later to remediate the vulnerability. Consider disabling bazaar package installation from untrusted sources as a temporary measure.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the official SiYuan security advisory for detailed information and updates: [https://github.com/siyuan-note/siyuan/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory URL)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo go.mod e descubra na hora se você está afetado.