SiYuan Desktop App Stored Cross-Site Scripting Vulnerability with Node.js Code Execution

A stored cross-site scripting vulnerability has been identified in the SiYuan desktop application, specifically in versions 2.1.12 prior to 3.7.0. This issue arises because the application’s Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without proper escaping. In the desktop app, this unescaped data can be exploited to execute JavaScript, with access to Node.js APIs, allowing arbitrary code execution on the host machine.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, with injected JavaScript executing in an Electron environment that has Node.js integration, leading to arbitrary code execution on the user's machine.

Reproduction

To reproduce this vulnerability, create a plugin repository with a `plugin.json` file that includes an HTML payload in the `author` field. Once the package is accepted into the SiYuan Bazaar marketplace, the payload will execute when the marketplace is browsed, or by opening the package detail view on older releases.

Remediation

Users should update to SiYuan version 3.7.0 or later, where this vulnerability has been fixed.