Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for CVE-2026-50551.

Upgrade to Pro
CVE-2026-50551

SiYuan Attribute View Asset Cell Stored XSS to RCE (CVE-2026-50551)

Detects exploitation of CVE-2026-50551, a stored Cross-Site Scripting (CWE-79) vulnerability in SiYuan (github.com/siyuan-note/siyuan/kernel) affecting versions prior to 0.0.0-20260628153353-2d5d72223df4. Unsanitized attribute view asset cell content allows an attacker to inject malicious script/HTML that executes in the context of the SiYuan kernel's rendering surface, which can be chained with SiYuan's local kernel API and plugin/asset execution surfaces to achieve remote code execution. Detection focuses on suspicious payloads written into attribute view (database) asset cell fields, anomalous kernel HTTP API calls consistent with XSS-to-RCE chaining, and post-exploitation process/file activity on hosts running the SiYuan kernel service.

Vulnerability Intelligence

Public PoC

Affected Software

Vendor
go
Product
github.com/siyuan-note/siyuan/kernel
Versions
< 0.0.0-20260628153353-2d5d72223df4

Weakness (CWE)

Timeline

Disclosed
July 10, 2026

CVSS

9.9
Critical (9.0–10)

CVSS vector not yet published

Read the write-up →

What is CVE-2026-50551 SiYuan Attribute View Asset Cell Stored XSS to RCE (CVE-2026-50551)?

SiYuan Attribute View Asset Cell Stored XSS to RCE (CVE-2026-50551) (CVE-2026-50551) maps to the Initial Access and Execution and Privilege Escalation tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for SiYuan Attribute View Asset Cell Stored XSS to RCE (CVE-2026-50551), covering the data sources and telemetry it touches: Web Application Firewall Logs, IIS/Reverse Proxy Logs, EDR Process Creation Telemetry. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Execution Privilege Escalation
Microsoft Sentinel / Defender
kusto
// Detect suspicious script payloads written to SiYuan attribute view asset cells via kernel API, followed by execution indicators
let suspiciousPatterns = dynamic(["<script","onerror=","onload=","javascript:","<img src=x","document.cookie","fetch(","XMLHttpRequest","eval(","child_process","os/exec","cmd.exe","/bin/sh"]);
let siyuanApiCalls = W3CIISLog
| union (AWSCloudTrail)
| union (Syslog)
| where isnotempty(RequestUrl) or isnotempty(Computer)
| project TimeGenerated, RequestUrl, Computer, csUriStem = coalesce(csUriStem, RequestUrl);
let flaggedRequests = HttpRequest
| where Url has_any ("/api/av/", "/api/attributeView/", "/api/asset/")
| where RequestBody has_any (suspiciousPatterns)
| project TimeGenerated, SourceIP, Url, RequestBody, UserAgent;
flaggedRequests
| join kind=leftouter (
    ProcessCreationEvents
    | where ProcessCommandLine has_any ("curl", "wget", "powershell", "bash -c", "/bin/sh -c", "nc ", "reverse")
    | project TimeGenerated, Computer, ProcessCommandLine
) on $left.TimeGenerated == $right.TimeGenerated
| project TimeGenerated, SourceIP, Url, RequestBody, UserAgent, Computer, ProcessCommandLine
| order by TimeGenerated desc

Flags HTTP requests to SiYuan kernel attribute view / asset API endpoints containing script injection payloads consistent with CVE-2026-50551, correlated with follow-on process execution on the host.

critical severity medium confidence

Data Sources

Web Application Firewall Logs IIS/Reverse Proxy Logs EDR Process Creation Telemetry

Required Tables

HttpRequest ProcessCreationEvents W3CIISLog

False Positives

  • Legitimate use of HTML-like content or code snippets pasted into SiYuan notes by users testing markdown/HTML rendering
  • Security scanners/pentest tools probing the API with XSS payloads as part of authorized testing
  • Developers debugging attribute view rendering with script-like sample data

Sigma rule & cross-platform mapping

The detection logic for SiYuan Attribute View Asset Cell Stored XSS to RCE (CVE-2026-50551) (CVE-2026-50551) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:


Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Inject stored XSS payload into SiYuan attribute view asset cell

    Expected signal: HTTP POST request to /api/av/setAttributeViewCell containing an <img onerror=...> payload in RequestBody, logged in proxy/access logs.

  2. Test 2Render malicious attribute view cell to trigger stored XSS

    Expected signal: Kernel API request to render the attribute view; if a headless/WebView renderer is used, outbound network telemetry to attacker.example may be observed.

  3. Test 3Simulate XSS-to-RCE chain via local plugin/script execution

    Expected signal: Process creation event for bash/curl spawned in close temporal proximity to the SiYuan kernel process, plus a network connection attempt to an external/test host.

  4. Test 4Windows lab validation of downstream process spawn after payload render

    Expected signal: Sysmon Event ID 1 (Process Creation) for powershell.exe with a benign command line, occurring shortly after a simulated attribute view API request.

Unlock playbooks & atomic tests with Pro

Get the full detection package for CVE-2026-50551 — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections