SiYuan: 对 bazaar README 的消毒不完整，允许通过 iframe srcdoc 存储 XSS (对 CVE-2026-33066 的不完整修复)

SiYuan 的 CVE-2026-40922 漏洞，尤其是在 Bazaar README 渲染中，允许存储型跨站脚本攻击 (XSS)。不完整的修复启用了 Lute HTML sanitizer，但未能阻止 <iframe> 标签及其 srcdoc 属性。这使得攻击者能够在 <iframe> 标签的 srcdoc 属性中注入恶意 JavaScript 代码。此代码将在 SiYuan Electron 应用程序的上下文中执行，可能导致敏感信息泄露、用户界面操纵，甚至完全控制应用程序。此漏洞的严重性在于可能危及 SiYuan 中用户的安全和数据的完整性。

Users of SiYuan who rely on bazaar packages for extensions or themes are at particular risk. This includes users who frequently install packages from untrusted sources or those who share their SiYuan data with others. Legacy configurations or deployments with outdated security practices are also more vulnerable.

• linux / server: Monitor SiYuan's log files for unusual activity related to bazaar package rendering. Look for patterns indicative of HTML injection attempts.

 grep -i "<iframe>" /path/to/siyuan/logs/readme.log

• generic web: Inspect network traffic for requests to SiYuan's bazaar endpoints with suspicious parameters or payloads.

 curl -v <siyuan_url>/api/bazaar/packages | grep <iframe>

1. 2026-04-16Disclosure

   disclosure

1. 已保留2026-04-15
2. 发布日期2026-04-16
3. 修改日期2026-04-20
4. EPSS 更新日期2026-04-24

针对 CVE-2026-40922 的主要缓解措施是升级到 SiYuan 3.6.4 或更高版本。此版本包含完全修复，阻止 <iframe> 标签及其 srcdoc 属性，从而防止恶意脚本执行。在等待更新期间，请避免从不可信来源导入 Bazaar README 文件。此外，请检查并清理任何先前导入的 README 文件，这些文件可能包含恶意代码。监控 SiYuan 应用程序内的异常活动也有助于检测潜在攻击。