Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for CVE-2026-50551.

Upgrade to Pro
CVE-2026-50551 Google Chronicle · YARA-L

Detect SiYuan Attribute View Asset Cell Stored XSS to RCE (CVE-2026-50551) in Google Chronicle

Detects exploitation of CVE-2026-50551, a stored Cross-Site Scripting (CWE-79) vulnerability in SiYuan (github.com/siyuan-note/siyuan/kernel) affecting versions prior to 0.0.0-20260628153353-2d5d72223df4. Unsanitized attribute view asset cell content allows an attacker to inject malicious script/HTML that executes in the context of the SiYuan kernel's rendering surface, which can be chained with SiYuan's local kernel API and plugin/asset execution surfaces to achieve remote code execution. Detection focuses on suspicious payloads written into attribute view (database) asset cell fields, anomalous kernel HTTP API calls consistent with XSS-to-RCE chaining, and post-exploitation process/file activity on hosts running the SiYuan kernel service.

MITRE ATT&CK

Tactic
Initial Access Execution Privilege Escalation

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral
rule siyuan_xss_to_rce_cve_2026_50551 {
  meta:
    author = "df00tech"
    description = "Detects stored XSS payloads against SiYuan attribute view asset cells consistent with CVE-2026-50551 exploitation chained toward RCE"
    severity = "CRITICAL"
    cve = "CVE-2026-50551"
  events:
    $http.metadata.event_type = "NETWORK_HTTP"
    $http.target.url = /.*\/api\/(av|attributeView|asset)\/.*/ nocase
    $http.network.http.method = "POST"
    re.regex($http.network.http.response.body, `(?i)(<script|onerror=|onload=|javascript:|document\.cookie|eval\()`)

    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.target.process.command_line = /.*(curl|wget|powershell|bash -c|reverse).*/ nocase
    $proc.principal.hostname = $http.principal.hostname
  match:
    $http.principal.hostname over 10m
  condition:
    $http and $proc
}
critical severity medium confidence

Chronicle YARA-L rule correlating XSS payload injection into SiYuan attribute view/asset endpoints with subsequent process launches on the same host, indicating exploitation of CVE-2026-50551.

Data Sources

Chronicle Network HTTP EventsChronicle Process Launch Events

Required Tables

NETWORK_HTTPPROCESS_LAUNCH

False Positives & Tuning

  • Coincidental process launches unrelated to the HTTP request within the correlation window
  • Legitimate developer or QA testing traffic against the API with similar strings
  • Hostname reuse across unrelated services generating false correlation

Other platforms for CVE-2026-50551


Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Inject stored XSS payload into SiYuan attribute view asset cell

    Expected signal: HTTP POST request to /api/av/setAttributeViewCell containing an <img onerror=...> payload in RequestBody, logged in proxy/access logs.

  2. Test 2Render malicious attribute view cell to trigger stored XSS

    Expected signal: Kernel API request to render the attribute view; if a headless/WebView renderer is used, outbound network telemetry to attacker.example may be observed.

  3. Test 3Simulate XSS-to-RCE chain via local plugin/script execution

    Expected signal: Process creation event for bash/curl spawned in close temporal proximity to the SiYuan kernel process, plus a network connection attempt to an external/test host.

  4. Test 4Windows lab validation of downstream process spawn after payload render

    Expected signal: Sysmon Event ID 1 (Process Creation) for powershell.exe with a benign command line, occurring shortly after a simulated attribute view API request.

Unlock playbooks & atomic tests with Pro

Get the full detection package for CVE-2026-50551 — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections