GHSA-W7CG-WHH7-XP28
Vulnerability from github – Published: 2026-07-10 19:27 – Updated: 2026-07-10 19:27Summary
renderPackageREADME in kernel/bazaar/readme.go renders a Bazaar package README from Markdown to HTML with the lute engine and SetSanitize(true). The lute sanitizer is an event-handler blocklist: allowAttr rejects only attribute names present in a fixed eventAttrs map copied from the w3schools legacy handler list.
That map omits modern event handlers. onpointerover, onpointerdown, onauxclick, onbeforetoggle, onfocusin, onanimationstart, and ontransitionend are not in the list, so the sanitizer passes them through verbatim on any tag.
The frontend assigns the rendered HTML to mdElement.innerHTML in app/src/config/bazaar.ts with no client-side DOMPurify on this path, into a normal element in the main document (no iframe, no sandbox). The kernel sends no Content-Security-Policy, X-Frame-Options, or X-Content-Type-Options header on any response, so an inline handler runs when its event fires.
The README is rendered when an Administrator opens a package in Settings → Marketplace, after the one-time marketplace trust consent. Install is not required.
Result: a third-party Bazaar package author runs JavaScript in the Administrator's authenticated SiYuan origin when the Administrator views and interacts with the package listing, and gains full control of the workspace.
Affected
siyuan-note/siyuan, <= 3.6.5 (latest release, 2026-04-21). Confirmed live-exploitable on the b3log/siyuan:v3.6.5 image; identical code on master HEAD.
Condition: the Administrator has accepted the marketplace trust consent (bazaar.trust, default false) and browses community Bazaar packages. The lute dependency pin is github.com/88250/lute v1.7.7-0.20260419134724-bb68012f231d.
Both the online browse path (getBazaarPackageREADME) and the installed-package path (getInstalledPlugin) reach the same sink.
Root cause
render/sanitizer.go:225-232 (lute): allowAttr(name) returns false only when name exists in the eventAttrs map, an attribute denylist rather than an allowlist.
render/sanitizer.go:235-334 (lute): eventAttrs is the w3schools handler list and contains no pointer, beforetoggle, focusin, animation, or transition handlers.
kernel/bazaar/readme.go:108-118: renderPackageREADME builds the engine with SetSanitize(true) and returns the HTML string to the caller.
kernel/bazaar/readme.go:48-88: GetBazaarPackageREADME renders an untrusted remote package README; kernel/api/bazaar.go exposes it at /api/bazaar/getBazaarPackageREADME (router.go:423, CheckAuth).
app/src/config/bazaar.ts:600 and :609: mdElement.innerHTML = data.preferredReadme / = response.data.html, no DOMPurify, target is a plain div.
Kernel HTTP responses carry no CSP/X-Frame-Options/X-Content-Type-Options header (live-confirmed), so an inline handler is not blocked.
Reproduction
b3log/siyuan:v3.6.5 Docker, default config, access auth code set, marketplace trust accepted.
- Place a package whose README carries a non-blocklisted handler (an online community package produces the identical render at browse time):
mkdir -p workspace/data/plugins/evil-plugin
cat > workspace/data/plugins/evil-plugin/plugin.json <<'JSON'
{"name":"evil-plugin","author":"x","version":"1.0.0","minAppVersion":"3.0.0",
"displayName":{"default":"Evil"},"description":{"default":"poc"},
"readme":{"default":"README.md"},"backends":["all"],"frontends":["all"]}
JSON
printf '<div onpointerover="alert(document.domain)">plugin description</div>\n' \
> workspace/data/plugins/evil-plugin/README.md
- Request the rendered README the way the Marketplace panel does:
curl -s -X POST http://127.0.0.1:6806/api/bazaar/getInstalledPlugin \
-H "Authorization: Token <API-TOKEN>" -H "Content-Type: application/json" \
-d '{"frontend":"all","keyword":""}'
Response data.packages[].preferredReadme contains the handler verbatim:
<div onpointerover="alert(document.domain)">plugin description</div>
A control <img src=x onerror=...> in the same README is returned HTML-escaped and inert.
- In Settings → Marketplace, open the package and move the pointer over its README.
Live-verified: the rendered HTML is assigned to mdElement.innerHTML (no CSP, no sandbox) and the onpointerover handler executes alert(document.domain) in the SiYuan origin on hover. Handlers do not auto-fire on insertion; one pointer/focus/click interaction on the listing triggers them.
Impact
- JavaScript execution in the Administrator's authenticated origin on a marketplace package view plus one hover/click/focus, no install needed.
- Theft of the kernel API token (
conf.api.token), which grants full Administrator API access. - Pivot to
installBazaarPluginand kernel control; the runtime image ships a shell. - A single malicious community package reaches every instance that views its listing.
Credit
Jan Kahmen, turingpoint (jan@turingpoint.de)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/siyuan-note/siyuan/kernel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20260628153353-2d5d72223df4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54070"
],
"database_specific": {
"cwe_ids": [
"CWE-184",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-10T19:27:24Z",
"nvd_published_at": "2026-06-24T22:16:48Z",
"severity": "HIGH"
},
"details": "## Summary\n\n`renderPackageREADME` in `kernel/bazaar/readme.go` renders a Bazaar package README from Markdown to HTML with the lute engine and `SetSanitize(true)`. The lute sanitizer is an event-handler blocklist: `allowAttr` rejects only attribute names present in a fixed `eventAttrs` map copied from the w3schools legacy handler list.\n\nThat map omits modern event handlers. `onpointerover`, `onpointerdown`, `onauxclick`, `onbeforetoggle`, `onfocusin`, `onanimationstart`, and `ontransitionend` are not in the list, so the sanitizer passes them through verbatim on any tag.\n\nThe frontend assigns the rendered HTML to `mdElement.innerHTML` in `app/src/config/bazaar.ts` with no client-side DOMPurify on this path, into a normal element in the main document (no iframe, no sandbox). The kernel sends no Content-Security-Policy, X-Frame-Options, or X-Content-Type-Options header on any response, so an inline handler runs when its event fires.\n\nThe README is rendered when an Administrator opens a package in Settings \u2192 Marketplace, after the one-time marketplace trust consent. Install is not required.\n\nResult: a third-party Bazaar package author runs JavaScript in the Administrator\u0027s authenticated SiYuan origin when the Administrator views and interacts with the package listing, and gains full control of the workspace.\n\n## Affected\n\nsiyuan-note/siyuan, `\u003c= 3.6.5` (latest release, 2026-04-21). Confirmed live-exploitable on the `b3log/siyuan:v3.6.5` image; identical code on `master` HEAD.\nCondition: the Administrator has accepted the marketplace trust consent (`bazaar.trust`, default false) and browses community Bazaar packages. The lute dependency pin is `github.com/88250/lute v1.7.7-0.20260419134724-bb68012f231d`.\nBoth the online browse path (`getBazaarPackageREADME`) and the installed-package path (`getInstalledPlugin`) reach the same sink.\n\n## Root cause\n\n`render/sanitizer.go:225-232` (lute): `allowAttr(name)` returns false only when `name` exists in the `eventAttrs` map, an attribute denylist rather than an allowlist.\n`render/sanitizer.go:235-334` (lute): `eventAttrs` is the w3schools handler list and contains no pointer, beforetoggle, focusin, animation, or transition handlers.\n`kernel/bazaar/readme.go:108-118`: `renderPackageREADME` builds the engine with `SetSanitize(true)` and returns the HTML string to the caller.\n`kernel/bazaar/readme.go:48-88`: `GetBazaarPackageREADME` renders an untrusted remote package README; `kernel/api/bazaar.go` exposes it at `/api/bazaar/getBazaarPackageREADME` (`router.go:423`, `CheckAuth`).\n`app/src/config/bazaar.ts:600` and `:609`: `mdElement.innerHTML = data.preferredReadme` / `= response.data.html`, no DOMPurify, target is a plain div.\nKernel HTTP responses carry no CSP/X-Frame-Options/X-Content-Type-Options header (live-confirmed), so an inline handler is not blocked.\n\n## Reproduction\n\n`b3log/siyuan:v3.6.5` Docker, default config, access auth code set, marketplace trust accepted.\n\n1. Place a package whose README carries a non-blocklisted handler (an online community package produces the identical render at browse time):\n\n```\nmkdir -p workspace/data/plugins/evil-plugin\ncat \u003e workspace/data/plugins/evil-plugin/plugin.json \u003c\u003c\u0027JSON\u0027\n{\"name\":\"evil-plugin\",\"author\":\"x\",\"version\":\"1.0.0\",\"minAppVersion\":\"3.0.0\",\n \"displayName\":{\"default\":\"Evil\"},\"description\":{\"default\":\"poc\"},\n \"readme\":{\"default\":\"README.md\"},\"backends\":[\"all\"],\"frontends\":[\"all\"]}\nJSON\nprintf \u0027\u003cdiv onpointerover=\"alert(document.domain)\"\u003eplugin description\u003c/div\u003e\\n\u0027 \\\n \u003e workspace/data/plugins/evil-plugin/README.md\n```\n\n2. Request the rendered README the way the Marketplace panel does:\n\n```\ncurl -s -X POST http://127.0.0.1:6806/api/bazaar/getInstalledPlugin \\\n -H \"Authorization: Token \u003cAPI-TOKEN\u003e\" -H \"Content-Type: application/json\" \\\n -d \u0027{\"frontend\":\"all\",\"keyword\":\"\"}\u0027\n```\n\nResponse `data.packages[].preferredReadme` contains the handler verbatim:\n\n```\n\u003cdiv onpointerover=\"alert(document.domain)\"\u003eplugin description\u003c/div\u003e\n```\n\nA control `\u003cimg src=x onerror=...\u003e` in the same README is returned HTML-escaped and inert.\n\n3. In Settings \u2192 Marketplace, open the package and move the pointer over its README.\n\nLive-verified: the rendered HTML is assigned to `mdElement.innerHTML` (no CSP, no sandbox) and the `onpointerover` handler executes `alert(document.domain)` in the SiYuan origin on hover. Handlers do not auto-fire on insertion; one pointer/focus/click interaction on the listing triggers them.\n\n## Impact\n\n- JavaScript execution in the Administrator\u0027s authenticated origin on a marketplace package view plus one hover/click/focus, no install needed.\n- Theft of the kernel API token (`conf.api.token`), which grants full Administrator API access.\n- Pivot to `installBazaarPlugin` and kernel control; the runtime image ships a shell.\n- A single malicious community package reaches every instance that views its listing.\n\n## Credit\n\nJan Kahmen, [turingpoint](https://turingpoint.de) (jan@turingpoint.de)",
"id": "GHSA-w7cg-whh7-xp28",
"modified": "2026-07-10T19:27:25Z",
"published": "2026-07-10T19:27:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-w7cg-whh7-xp28"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54070"
},
{
"type": "PACKAGE",
"url": "https://github.com/siyuan-note/siyuan"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "SiYuan: Stored XSS in Bazaar marketplace via package README event handlers"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.