Unrated

Stored XSS to RCE in SiYuan genAVValueHTML attribute-view renderer

IdentifiersCVE-2026-54158CWE-79

CVE-2026-54158 is a stored cross-site scripting vulnerability in SiYuan affecting versions prior to 3.7.0. The flaw is in the attribute-view (database) cell renderer function genAVValueHTML(), which interpolates cell content without proper escaping in at least four branches: text, url, phone, and mAsset. An attacker can place crafted payloads such as breaking out of surrounding tags with sequences like </textarea><img src=x onerror="..."> or "><img src=x onerror="..."> so that arbitrary JavaScript executes when a victim opens the block-attribute panel containing the malicious row. The malicious cell content is not escaped on input by the kernel and persists byte-for-byte in workspace AV files. Because those files are stored in the workspace and propagate through normal sync, a payload written once to a synced workspace can trigger on multiple devices that later open the affected panel. On Electron desktop deployments, the renderer runs with nodeIntegration:true, allowing the XSS to be chained into host-level remote code execution via Node.js APIs such as require('child_process').

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows execution of arbitrary JavaScript in the SiYuan renderer context when the victim opens a block-attribute panel containing attacker-controlled cell data. In Electron desktop environments, this can escalate to host remote code execution because nodeIntegration:true exposes Node.js functionality to the compromised renderer, enabling process execution through child_process. The issue is persistent and sync-propagated, so a single malicious row can affect every synced device that opens the relevant panel. Impact therefore includes compromise of confidentiality, integrity, and availability of the local host and user data, as well as cross-device propagation within shared or synced workspaces.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, avoid opening untrusted block-attribute panels or attribute-view rows originating from untrusted or shared synced workspaces. Restrict write access to synced workspaces to trusted users only, because write access is sufficient to plant the persistent payload. Where operationally feasible, disable or reduce risky Electron renderer capabilities such as nodeIntegration to prevent XSS-to-RCE chaining. Additional defensive filtering or sanitization of imported or synchronized cell content may reduce exposure, but upgrading remains the primary mitigation.

Remediation

Patch, then assume compromise.

Upgrade SiYuan to version 3.7.0 or later, where the vulnerability is fixed. The vulnerable rendering path in genAVValueHTML() should no longer interpolate untrusted cell content raw in the text, url, phone, and mAsset branches. Any related server- or kernel-side handling should ensure proper escaping or sanitization of attribute-view cell values before storage and before rendering, analogous to the html.EscapeAttrVal-style protection referenced for other attribute paths.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

cvefeed high severityNews

Jun 24, 2026

CVE-2026-54158 - SiYuan: Stored XSS to RCE via attribute-view cell rendering in genAVValueHTML()

A critical stored XSS vulnerability in SiYuan that can chain to remote code execution on Electron desktop clients due to nodeIntegration being enabled.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-54158

NVD

nvd.nist.gov/vuln/detail/CVE-2026-54158

MITRE CWE · CWE-79

cwe.mitre.org