What is CVE-2026-33067?

CVE-2026-33067 is a vulnerability in Siyuan-note Siyuan, classified under Cross-site Scripting. Published 2026-03-20.

Is CVE-2026-33067 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

XSS in Siyuan-note Siyuan

CVE-2026-33067

SiYuan is a personal knowledge management system. Versions 3.6.0 and below render package metadata fields (displayName, description) using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaSc…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.001 (28.8th percentile) — read the EPSS interpretation.

Affected products

Siyuan-note Siyuan — versions < 3.6.1

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

Public proof-of-concept exploits

Lopseg/cve-2026-33067

References

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-mvpm-v6q4-m2pf (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-33067?: CVE-2026-33067 is a vulnerability in Siyuan-note Siyuan, classified under Cross-site Scripting. Published 2026-03-20.
Is CVE-2026-33067 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.