The kernel stores Attribute View (AV / database) names without any HTML escape, then a render template uses raw strings.ReplaceAll(tpl, "${avName}", nodeAvName) to embed the name in HTML before pushing to all clients via WebSocket. Three independent client paths (render.ts:120 → outerHTML, Title.ts:401 → innerHTML, transaction.ts:559 → innerHTML) consume the value without escaping. Because the main BrowserWindow runs nodeIntegration:true, contextIsolation:false, webSecurity:false (app/electron/main.js:407-411), HTML injection in the renderer becomes Node.js ...
id: GO-ID-PENDING
modules:
- module: github.com/siyuan-note/siyuan/kernel
vulnerable_at: 0.0.0-20260421031503-96dfe0bea474
summary: SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCE in github.com/siyuan-note/siyuan/kernel
cves:
- CVE-2026-44670
ghsas:
- GHSA-2h64-c999-c9r6
references:
- advisory: https://github.com/advisories/GHSA-2h64-c999-c9r6
- advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-2h64-c999-c9r6
source:
id: GHSA-2h64-c999-c9r6
created: 2026-05-08T17:02:11.696938183Z
review_status: UNREVIEWED
Advisory GHSA-2h64-c999-c9r6 references a vulnerability in the following Go modules:
Description:
Summary
The kernel stores Attribute View (AV / database) names without any HTML escape, then a render template uses raw
strings.ReplaceAll(tpl, "${avName}", nodeAvName)to embed the name in HTML before pushing to all clients via WebSocket. Three independent client paths (render.ts:120→outerHTML,Title.ts:401→innerHTML,transaction.ts:559→innerHTML) consume the value without escaping. Because the main BrowserWindow runsnodeIntegration:true, contextIsolation:false, webSecurity:false(app/electron/main.js:407-411), HTML injection in the renderer becomes Node.js ...References:
Cross references:
See doc/quickstart.md for instructions on how to triage this report.