CVE-2026-54070

Source
https://cve.org/CVERecord?id=CVE-2026-54070
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54070.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-54070
Aliases
Published
2026-06-24T21:18:24.160Z
Modified
2026-07-08T08:09:46.725996843Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L CVSS Calculator
Summary
SiYuan: Stored XSS in Bazaar marketplace via package README event handlers
Details

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, renderPackageREADME in kernel/bazaar/readme.go renders a Bazaar package README from Markdown to HTML with the lute engine and SetSanitize(true). The lute sanitizer is an event-handler blocklist: allowAttr rejects only attribute names present in a fixed eventAttrs map copied from the w3schools legacy handler list. That map omits modern event handlers. onpointerover, onpointerdown, onauxclick, onbeforetoggle, onfocusin, onanimationstart, and ontransitionend are not in the list, so the sanitizer passes them through verbatim on any tag. The frontend assigns the rendered HTML to mdElement.innerHTML in app/src/config/bazaar.ts with no client-side DOMPurify on this path, into a normal element in the main document (no iframe, no sandbox). The kernel sends no Content-Security-Policy, X-Frame-Options, or X-Content-Type-Options header on any response, so an inline handler runs when its event fires. The README is rendered when an Administrator opens a package in Settings → Marketplace, after the one-time marketplace trust consent. Install is not required. Result: a third-party Bazaar package author runs JavaScript in the Administrator's authenticated SiYuan origin when the Administrator views and interacts with the package listing, and gains full control of the workspace. This vulnerability is fixed in 3.7.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54070.json",
    "cwe_ids": [
        "CWE-184",
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/siyuan-note/siyuan

Affected ranges

Type
GIT
Repo
https://github.com/siyuan-note/siyuan
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.7.0"
        }
    ]
}

Affected versions

dev2.*
dev2.0.17-2
v0.*
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.1.9
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.2.7
v0.2.8
v0.2.9
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.3.9
v0.4.0
v0.4.1
v0.4.1-x2
v0.4.2
v0.4.3
v0.4.3-x1
v0.4.32
v0.4.4
v0.4.5
v0.4.6
v0.4.7
v0.4.8
v0.4.9
v0.4.91
v0.4.92
v0.4.93
v0.4.94
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.5.41
v0.5.42
v0.5.43
v0.5.44
v0.5.45
v0.5.46
v0.5.5
v0.5.6
v0.5.6-alpha1
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.6.4
v0.6.5
v0.6.6
v0.6.7
v0.6.8
v0.7.0
v0.7.1
v0.7.5
v0.7.8
v0.8.0
v0.8.5
v0.9.0
v0.9.2
v0.9.5
v0.9.6
v0.9.7
v0.9.8
v0.9.9
v1.*
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.7
v1.1.8
v1.1.81
v1.1.82
v1.1.83
v1.2.0
v1.2.0-beta1
v1.2.0-beta10
v1.2.0-beta11
v1.2.0-beta12
v1.2.0-beta13
v1.2.0-beta14
v1.2.0-beta15
v1.2.0-beta16
v1.2.0-beta2
v1.2.0-beta3
v1.2.0-beta4
v1.2.0-beta5
v1.2.0-beta6
v1.2.0-beta7
v1.2.0-beta8
v1.2.0-beta9
v1.2.0-rc1
v1.2.0-rc2
v1.2.0-rc3
v1.2.1
v1.2.2
v1.2.3
v1.2.31
v1.2.5
v1.2.6
v1.2.7
v1.2.8
v1.2.9
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.3.9
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4.8
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.5.5-beta1
v1.5.5-beta2
v1.5.5-beta3
v1.5.6
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.7.0
v1.7.1
v1.7.10
v1.7.11
v1.7.2
v1.7.3
v1.7.4
v1.7.5
v1.7.6
v1.7.7
v1.7.8
v1.7.9
v1.8.0
v1.8.1
v1.8.2
v1.8.4
v1.8.5
v1.8.6
v1.8.7
v1.8.8
v1.8.9
v1.9.0
v1.9.1
v1.9.2
v1.9.3
v1.9.4
v1.9.5
v1.9.6
v1.9.7
v1.9.8
v1.9.9
v2.*
v2.0.0
v2.0.0-beta1
v2.0.0-beta2
v2.0.1
v2.0.10
v2.0.11
v2.0.12
v2.0.13
v2.0.14
v2.0.15
v2.0.16
v2.0.17
v2.0.18
v2.0.19
v2.0.2
v2.0.20
v2.0.21
v2.0.21-dev1
v2.0.22
v2.0.23
v2.0.24
v2.0.25
v2.0.26
v2.0.26-dev1
v2.0.26-dev2
v2.0.27
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.1.0
v2.1.1
v2.1.10
v2.1.11
v2.1.12
v2.1.13
v2.1.14
v2.1.2
v2.1.3
v2.1.3-dev1
v2.1.4
v2.1.5
v2.1.6
v2.1.6-dev1
v2.1.7
v2.1.8
v2.1.8-dev1
v2.1.9
v2.10.0
v2.10.1
v2.10.1-dev1
v2.10.10
v2.10.11
v2.10.11-dev2
v2.10.12
v2.10.12-dev1
v2.10.13
v2.10.13-dev1
v2.10.13-dev5
v2.10.14
v2.10.14-dev1
v2.10.14-dev2
v2.10.15
v2.10.15-dev1
v2.10.16
v2.10.16-dev2
v2.10.2
v2.10.3
v2.10.3-dev1
v2.10.3-dev2
v2.10.3-dev3
v2.10.4
v2.10.4-dev1
v2.10.5
v2.10.5-dev1
v2.10.5-dev2
v2.10.6
v2.10.6-dev1
v2.10.6-dev2
v2.10.6-dev3
v2.10.6-dev4
v2.10.8
v2.10.8-dev1
v2.10.8-dev2
v2.10.8-dev3
v2.10.9
v2.10.9-dev3
v2.11.0
v2.11.0-dev2
v2.11.1
v2.11.1-dev1
v2.11.2
v2.11.2-dev1
v2.11.2-dev2
v2.11.2-dev3
v2.11.2-dev4
v2.11.2-dev5
v2.11.3
v2.11.3-dev1
v2.11.3-dev2
v2.11.4
v2.11.4-dev2
v2.11.4-dev4
v2.11.4-dev5
v2.11.4-dev6
v2.12.0
v2.12.0-dev1
v2.12.1
v2.12.1-dev3
v2.12.2
v2.12.3
v2.12.3-dev2
v2.12.4
v2.12.4-dev2
v2.12.5
v2.12.6
v2.12.7
v2.12.7-dev1
v2.12.7-dev2
v2.12.8
v2.12.8-dev2
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.4.0
v2.4.1
v2.4.10
v2.4.11
v2.4.12
v2.4.12-dev2
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7
v2.4.8
v2.4.9
v2.5.0
v2.5.0-dev1
v2.5.0-dev2
v2.5.1
v2.5.1-dev1
v2.5.1-dev2
v2.5.2
v2.5.2-dev2
v2.5.3
v2.5.3-dev2
v2.5.4
v2.5.4-dev1
v2.5.5
v2.5.5-dev1
v2.6.0
v2.6.0-dev1
v2.6.0-dev2
v2.6.0-dev3
v2.6.1
v2.6.1-dev3
v2.6.1-dev4
v2.6.1-dev5
v2.6.1-dev6
v2.6.1-dev7
v2.6.2
v2.6.3
v2.6.3-dev1
v2.6.3-dev2
v2.6.3-dev3
v2.6.3-dev4
v2.6.3-dev6
v2.7.0
v2.7.1
v2.7.1-dev1
v2.7.1-dev5
v2.7.10
v2.7.2
v2.7.2-dev1
v2.7.2-dev2
v2.7.2-dev3
v2.7.3
v2.7.3-dev3
v2.7.3-dev4
v2.7.4
v2.7.4-dev1
v2.7.5
v2.7.5-dev2
v2.7.6
v2.7.6-dev3
v2.7.6-dev4
v2.7.7
v2.7.7-dev1
v2.7.7-dev2
v2.7.7-dev3
v2.7.7-dev4
v2.7.8
v2.7.8-dev1
v2.7.9
v2.7.9-dev1
v2.7.9-dev2
v2.8.0
v2.8.0-dev1
v2.8.1-dev1
v2.8.1-dev2
v2.8.1-dev3
v2.8.10
v2.8.3
v2.8.3-dev1
v2.8.4
v2.8.4-dev2
v2.8.5
v2.8.5-dev1
v2.8.5-dev2
v2.8.5-dev3
v2.8.6
v2.8.6-dev1
v2.8.6-dev2
v2.8.6-dev4
v2.8.7
v2.8.7-dev2
v2.8.7-dev3
v2.8.7-dev5
v2.8.8
v2.8.8-dev1
v2.8.8-dev3
v2.8.9
v2.8.9-dev2
v2.8.9-dev3
v2.9.0
v2.9.0-dev1
v2.9.1
v2.9.1-dev1
v2.9.1-dev2
v2.9.2
v2.9.2-dev2
v2.9.2-dev3
v2.9.3
v2.9.3-dev1
v2.9.3-dev3
v2.9.4
v2.9.4-dev2
v2.9.5
v2.9.5-dev2
v2.9.6
v2.9.6-dev1
v2.9.7
v2.9.7-dev2
v2.9.7-dev3
v2.9.8
v2.9.8-dev1
v2.9.8-dev2
v2.9.9
v2.9.9-dev1
v3.*
v3.0.0
v3.0.0-dev1
v3.0.0-dev2
v3.0.1
v3.0.1-dev2
v3.0.10
v3.0.10-dev1
v3.0.10-dev3
v3.0.11
v3.0.12
v3.0.12-dev1
v3.0.12-dev4
v3.0.12-dev5
v3.0.13-dev3
v3.0.13-dev4
v3.0.14
v3.0.15
v3.0.15-dev1
v3.0.15-dev2
v3.0.16
v3.0.16-dev3
v3.0.17
v3.0.17-dev1
v3.0.17-dev2
v3.0.2
v3.0.2-dev2
v3.0.3
v3.0.3-dev4
v3.0.3-dev5
v3.0.4
v3.0.4-dev2
v3.0.5
v3.0.5-dev3
v3.0.5-dev4
v3.0.5-dev5
v3.0.6
v3.0.6-dev2
v3.0.6-dev3
v3.0.7
v3.0.7-dev1
v3.0.8
v3.0.8-dev1
v3.0.8-dev2
v3.0.9
v3.1.0
v3.1.0-dev10
v3.1.0-dev11
v3.1.0-dev12
v3.1.0-dev2
v3.1.0-dev3
v3.1.0-dev8
v3.1.0-dev9
v3.1.1-dev1
v3.1.1-dev2
v3.1.10
v3.1.10-dev1
v3.1.10-dev6
v3.1.11
v3.1.11-dev2
v3.1.11-dev5
v3.1.11-dev9
v3.1.12
v3.1.12-dev2
v3.1.12-dev3
v3.1.12-dev4
v3.1.13
v3.1.14
v3.1.14-dev2
v3.1.15
v3.1.15-dev1
v3.1.15-dev3
v3.1.16
v3.1.17
v3.1.18
v3.1.19
v3.1.19-dev3
v3.1.2
v3.1.2-dev2
v3.1.2-dev3
v3.1.2-dev4
v3.1.20
v3.1.20-dev3
v3.1.20-dev4
v3.1.21
v3.1.21-dev1
v3.1.21-dev3
v3.1.21-dev4
v3.1.22
v3.1.22-dev1
v3.1.22-dev2
v3.1.23
v3.1.24
v3.1.25
v3.1.25-dev3
v3.1.25-dev4
v3.1.25-dev6
v3.1.26
v3.1.26-dev1
v3.1.26-dev2
v3.1.26-dev3
v3.1.27
v3.1.27-dev1
v3.1.27-dev2
v3.1.27-dev4
v3.1.28
v3.1.28-dev2
v3.1.28-dev3
v3.1.29
v3.1.29-dev3
v3.1.3
v3.1.3-dev1
v3.1.3-dev2
v3.1.30
v3.1.30-dev1
v3.1.31
v3.1.32
v3.1.32-dev2
v3.1.4
v3.1.4-dev2
v3.1.4-dev3
v3.1.4-dev5
v3.1.5
v3.1.6
v3.1.6-dev1
v3.1.6-dev2
v3.1.7
v3.1.7-dev3
v3.1.7-dev4
v3.1.7-dev5
v3.1.7-dev7
v3.1.7-dev8
v3.1.8
v3.1.8-dev2
v3.1.8-dev3
v3.1.9
v3.1.9-dev1
v3.1.9-dev10
v3.1.9-dev2
v3.1.9-dev3
v3.1.9-dev4
v3.1.9-dev6
v3.1.9-dev7
v3.1.9-dev9
v3.2.0-dev1
v3.2.0-dev10
v3.2.0-dev2
v3.2.0-dev3
v3.2.0-dev4
v3.2.0-dev6
v3.2.0-dev8
v3.2.0-dev9
v3.2.1
v3.2.1-dev2
v3.2.1-dev3
v3.2.1-dev4
v3.2.1-dev5
v3.2.1-dev6
v3.3.0
v3.3.0-dev3
v3.3.0-dev4
v3.3.1
v3.3.2
v3.3.2-dev1
v3.3.2-dev2
v3.3.3
v3.3.3-dev1
v3.3.3-dev2
v3.3.3-dev3
v3.3.3-dev4
v3.3.3-dev5
v3.3.4
v3.3.4-dev1
v3.3.4-dev2
v3.3.5
v3.3.6
v3.3.6-dev1
v3.3.6-dev2
v3.4.0
v3.4.0-dev1
v3.4.0-dev2
v3.4.0-dev3
v3.4.0-dev4
v3.4.0-dev5
v3.4.1
v3.4.1-dev1
v3.4.2
v3.4.2-dev1
v3.5.0
v3.5.0-dev1
v3.5.0-dev2
v3.5.1
v3.5.1-dev1
v3.5.1-dev2
v3.5.10
v3.5.2
v3.5.2-dev1
v3.5.2-dev2
v3.5.3
v3.5.3-dev2
v3.5.3-dev3
v3.5.3-dev4
v3.5.3-dev5
v3.5.4
v3.5.4-dev1
v3.5.4-dev2
v3.5.4-dev3
v3.5.4-dev5
v3.5.5
v3.5.7
v3.5.8
v3.5.8-dev2
v3.5.9
v3.6.0
v3.6.1
v3.6.2
v3.6.3
v3.6.4
v3.6.4-dev2
v3.6.5
v3.6.5-dev2
v3.7.0-dev12
v3.7.0-dev2
v3.7.0-dev5
v3.7.0-dev8
v3.7.0-rc.1
v3.7.0-rc.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54070.json"