Lucene search
K

243 matches found

RedhatCVE
RedhatCVE
added 2026/05/16 1:57 a.m.12 views

CVE-2026-45375

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HT...

9CVSS5.8AI score0.00361EPSS
Exploits0References1
NVD
NVD
added 2026/05/14 7:16 p.m.14 views

CVE-2026-45375

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HT...

9CVSS0.00361EPSS
Exploits0References1
NVD
NVD
added 2026/05/14 7:16 p.m.19 views

CVE-2026-44586

SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without escaping. In the desktop app this becomes stored XSS, and because SiYuan's Electron windows a...

8.3CVSS0.00307EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/14 6:13 p.m.34 views

CVE-2026-45375 SiYuan: Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HT...

9CVSS0.00361EPSS
Exploits0References1
CVE
CVE
added 2026/05/14 6:13 p.m.15 views

CVE-2026-45375

SiYuan’s Bazaar marketplace before version 3.7.0 renders unsanitized package metadata (name, version) from plugin.json (and equivalent theme/template/widget/icon.json) into the Marketplace UI via innerHTML. The kernel sanitizer escapes Author, DisplayName, and Description, but not Name/Version, a...

9CVSS5.8AI score0.00361EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/14 6:13 p.m.8 views

CVE-2026-45375 SiYuan: Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HT...

9CVSS5.8AI score0.00361EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/14 6:13 p.m.6 views

EUVD-2026-30356

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HT...

9CVSS5.8AI score0.00361EPSS
Exploits0References1
CVE
CVE
added 2026/05/14 6:11 p.m.19 views

CVE-2026-44586

SiYuan (desktop) Bazaar marketplace before 3.7.0 renders package author metadata into HTML without escaping, enabling stored XSS. Because Electron windows are created with nodeIntegration: true and contextIsolation: false, a successful payload could access Node.js APIs and run code on the host. A...

8.3CVSS6AI score0.00307EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/14 6:11 p.m.32 views

CVE-2026-44586 SiYuan: Bazaar marketplace renders unescaped package author metadata, allowing XSS and Electron code execution

SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without escaping. In the desktop app this becomes stored XSS, and because SiYuan's Electron windows a...

8.3CVSS0.00307EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/14 6:11 p.m.6 views

CVE-2026-44586 SiYuan: Bazaar marketplace renders unescaped package author metadata, allowing XSS and Electron code execution

SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without escaping. In the desktop app this becomes stored XSS, and because SiYuan's Electron windows a...

8.3CVSS6AI score0.00307EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/14 6:11 p.m.11 views

EUVD-2026-30354

SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without escaping. In the desktop app this becomes stored XSS, and because SiYuan's Electron windows a...

8.3CVSS6AI score0.00307EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/14 12:0 a.m.8 views

SiYuan 跨站脚本漏洞

SiYuan is an open-source personal knowledge management system developed by SiYuan. Versions of SiYuan prior to 3.7.0 contained a cross-site scripting vulnerability. This vulnerability occurred because the Bazaar marketplace rendered field names and version fields without proper HTML escaping, whi...

9CVSS5.7AI score0.00361EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/14 12:0 a.m.13 views

SiYuan 跨站脚本漏洞

SiYuan is an open-source personal knowledge management system developed by SiYuan. Versions of SiYuan from 2.1.12 to 3.7.0 had a cross-site scripting vulnerability. This vulnerability stemmed from unescaped metadata in the Bazaar marketplace rendering packages, which could lead to storage-based...

8.3CVSS5.9AI score0.00307EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.11 views

PT-2026-41017

SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without escaping. In the desktop app this becomes stored XSS, and because SiYuan's Electron windows a...

8.3CVSS6AI score0.00307EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/13 3:33 p.m.8 views

SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution

Summary SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HTML escaping. The kernel-side helper sanitizePackageDisplayStrings in...

9CVSS6AI score0.00361EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/05/13 3:33 p.m.5 views

GHSA-27QC-M5GF-JV5R SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution

Summary SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HTML escaping. The kernel-side helper sanitizePackageDisplayStrings in...

9CVSS6AI score0.00361EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/05/07 12:0 a.m.9 views

YesWiki SQL注入漏洞

YesWiki is a wiki system built with PHP, developed by the French organization YesWiki. It is used for creating and managing websites in a collaborative manner. Versions of YesWiki prior to 4.6.1 had a SQL injection vulnerability. This vulnerability stemmed from the direct concatenation of the...

8.8CVSS5.8AI score0.00342EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/05/01 12:0 a.m.9 views

Wireshark 2.4.x < 2.4.8 Multiple Vulnerabilities (macOS)

The version of Wireshark installed on the remote macOS / Mac OS X host is prior to 2.4.8. It is, therefore, affected by multiple vulnerabilities as referenced in the wireshark-2.4.8 advisory. - In Wireshark 2.6.0 to 2.6.1 and 2.4.0 to 2.4.7, the IEEE 802.11 protocol dissector could crash. This wa...

7.8CVSS7.4AI score0.03773EPSS
Exploits3References31
Tenable Nessus
Tenable Nessus
added 2026/05/01 12:0 a.m.4 views

Wireshark 2.2.x < 2.2.16 Multiple Vulnerabilities

The version of Wireshark installed on the remote Windows host is prior to 2.2.16. It is, therefore, affected by multiple vulnerabilities as referenced in the wireshark-2.2.16 advisory. - In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the Bazaar protocol dissector could go into ...

7.8CVSS6.8AI score0.03773EPSS
Exploits4References53
Tenable Nessus
Tenable Nessus
added 2026/05/01 12:0 a.m.10 views

Wireshark 2.2.x < 2.2.16 Multiple Vulnerabilities (macOS)

The version of Wireshark installed on the remote macOS / Mac OS X host is prior to 2.2.16. It is, therefore, affected by multiple vulnerabilities as referenced in the wireshark-2.2.16 advisory. - In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the Bazaar protocol dissector could...

7.8CVSS7.2AI score0.03773EPSS
Exploits4References53
Rows per page
Query Builder