VDB
CVE-2026-33067
CVE-2026-33067
PUBLISHED
CVSS 5.300000190734863 MEDIUM
SiYuan is a personal knowledge management system. Versions 3.6.0 and below render package metadata fields (displayName, description) using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which executes automatically when any user browses the Bazaar page. Because SiYuan's Electron configuration enables nodeIntegration: true with contextIsolation: false, this XSS escalates directly to full Remote Code Execution on the victim's operating system — with zero user interaction beyond opening the marketplace tab. This issue has been fixed in version 3.6.1.
EPSS 0.11% · 28.8th percentile
Risk Scores
CVSS 4.0
5.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
EPSS Score
0.11%
28.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| siyuan-note | siyuan | < 3.6.1, * |
| github.com | siyuan-note/siyuan/kernel | 0, 0 |
| b3log | siyuan | 0, 0 |
Exploit Intelligence
- Lopseg/cve-2026-33067 (github-poc-repo)
- Lopseg/cve-2026-33067 (github-poc-repo)
- Lopseg/cve-2026-33067 (github-poc-repo)
- Lopseg/cve-2026-33067 (github-poc-repo)
- Lopseg/cve-2026-33067 (github-poc-repo)
- Lopseg/cve-2026-33067 (github-poc-repo)
- Lopseg/cve-2026-33067 (github-poc-repo)
- Lopseg/cve-2026-33067 (github-poc)
- Lopseg/cve-2026-33067 (github-poc)
- Lopseg/cve-2026-33067 (github-poc)
…and 11 more exploits
Timeline
- Mar 18, 2026 CVE Published
- Mar 20, 2026 CVE Updated
- Mar 20, 2026 EPSS Score
- Mar 20, 2026 PoC Published
- Mar 21, 2026 EPSS Score
- Mar 22, 2026 EPSS Score
- Mar 22, 2026 Coalition ESS Score
- Mar 23, 2026 EPSS Score
- Mar 24, 2026 EPSS Score
- Mar 24, 2026 Security Advisory
- Mar 25, 2026 EPSS Score
- May 18, 2026 EPSS Score