CVE intelligence and bounded remediation

CVE-2026-54070 — SiYuan is an open-source personal knowledge management system

High CVSS 7.1

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, renderPackageREADME in kernel/bazaar/readme.go renders a Bazaar package README from Markdown to HTML with the lute engine and SetSanitize(true). The lute sanitizer is an event-handler blocklist: allowAttr rejects only attribute names present in a fixed eventAttrs map copied from the w3schools legacy handler list. That map omits modern event handlers. onpointerover, onpointerdown, onauxclick, onbeforetoggle, onfocusin, onanimationstart, and ontransitionend are not in the list, so the sanitizer passes them through verbatim on any tag. The frontend assigns the rendered HTML to mdElement.innerHTML in app/src/config/bazaar.ts with no client-side DOMPurify on this path, into a normal element in the main document (no iframe, no sandbox). The kernel sends no Content-Security-Policy, X-Frame-Options, or X-Content-Type-Options header on any response, so an inline handler runs when its event fires. The README is rendered when an Administrator opens a package in Settings → Marketplace, after the one-time marketplace trust consent. Install is not required. Result: a third-party Bazaar package author runs JavaScript…

Severity
High
CVSS
7.1 (3.1)
Published
2026-06-24
CISA KEV
Not currently listed
Ecosystem
javascript/npm
Weaknesses
CWE-79, CWE-184

Affected products

No browser-safe affected-product rows are available.

Matched remediation archetype

Cross-site scripting and unsafe browser output

This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.

Check exposure

  • Trace reflected, stored, and DOM-derived untrusted values into HTML, attributes, URLs, styles, scripts, and client-side template sinks.
  • Identify affected origins, authenticated user roles, sensitive browser capabilities, and where content is shared across tenants.
  • Review framework escaping, rich-text sanitization, legacy templates, and client-side rendering paths.

Remediate safely

  • Use context-aware framework output encoding and safe DOM APIs; keep untrusted data out of executable contexts.
  • Sanitize intentionally supported markup with a maintained allowlist policy and validate URLs and attributes separately.
  • Update affected rendering components and add tests for every output context using inert sentinel markup.

Authoritative sources

Complete CVE record and remediation plan

The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.