CVE-2026-40922

Source
https://cve.org/CVERecord?id=CVE-2026-40922
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40922.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-40922
Aliases
Related
Published
2026-04-16T23:14:00.592Z
Modified
2026-07-08T08:12:34.495681046Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
SiYuan: Incomplete sanitization of bazaar README allows stored XSS via iframe srcdoc (incomplete fix for CVE-2026-33066)
Details

SiYuan is an open-source personal knowledge management system. In versions 3.6.1 through 3.6.3, a prior fix for XSS in bazaar README rendering (incomplete fix for CVE-2026-33066) enabled the Lute HTML sanitizer, but the sanitizer does not block iframe tags, and its URL-prefix blocklist does not effectively filter srcdoc attributes which contain raw HTML rather than URLs. A malicious bazaar package author can include an iframe with a srcdoc attribute containing embedded scripts in their README. When other users view the package in SiYuan's marketplace UI, the payload executes in the Electron context with full application privileges, enabling arbitrary code execution on the user's machine. This issue has been fixed in version 3.6.4.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40922.json"
}
References

Affected packages

Git / github.com/siyuan-note/siyuan

Affected ranges

Type
GIT
Repo
https://github.com/siyuan-note/siyuan
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "3.6.1"
        },
        {
            "fixed": "3.6.4"
        }
    ],
    "cpe": "cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*",
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

v3.*
v3.6.1
v3.6.2
v3.6.3
v3.6.4-dev2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40922.json"