CVE-2026-56397

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...

CVE-2026-56395

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...

CVE-2026-44586

SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without escaping. In the desktop app this becomes stored XSS, and because SiYuan's Electron windows a...

GO-2026-5001 SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution in github.com/siyuan-note/siyuan/kernel

SiYuan Bazaar marketplace renders unescaped package name and version metadata, allowing stored XSS and Electron code execution in github.com/siyuan-note/siyuan/kernel...

PT-2026-42383

SiYuan Bazaar marketplace renders unescaped package name and version metadata, allowing stored XSS and Electron code execution in github.com/siyuan-note/siyuan/kernel...

CVE-2026-45375

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HT...

CVE-2026-45375

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HT...

CVE-2026-45375 SiYuan: Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HT...

EUVD-2026-30356

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HT...

CVE-2026-45375

SiYuan’s Bazaar marketplace before version 3.7.0 renders unsanitized package metadata (name, version) from plugin.json (and equivalent theme/template/widget/icon.json) into the Marketplace UI via innerHTML. The kernel sanitizer escapes Author, DisplayName, and Description, but not Name/Version, a...

CVE-2026-44586 SiYuan: Bazaar marketplace renders unescaped package author metadata, allowing XSS and Electron code execution

SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without escaping. In the desktop app this becomes stored XSS, and because SiYuan's Electron windows a...

CVE-2026-44586 SiYuan: Bazaar marketplace renders unescaped package author metadata, allowing XSS and Electron code execution

SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without escaping. In the desktop app this becomes stored XSS, and because SiYuan's Electron windows a...

CVE-2026-44586

SiYuan (desktop) Bazaar marketplace before 3.7.0 renders package author metadata into HTML without escaping, enabling stored XSS. Because Electron windows are created with nodeIntegration: true and contextIsolation: false, a successful payload could access Node.js APIs and run code on the host. A...

SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution

Summary SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HTML escaping. The kernel-side helper sanitizePackageDisplayStrings in...

GHSA-27QC-M5GF-JV5R SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution

Summary SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HTML escaping. The kernel-side helper sanitizePackageDisplayStrings in...

SiYuan has incomplete fix for CVE-2026-33066: XSS

Summary The incomplete fix for SiYuan's bazaar README rendering enables the Lute HTML sanitizer but fails to block tags, allowing stored XSS via srcdoc attributes containing embedded scripts that execute in the Electron context. Affected Package - Ecosystem: Go - Package:...

GHSA-8Q5W-MMXF-48JG SiYuan has incomplete fix for CVE-2026-33066: XSS

Summary The incomplete fix for SiYuan's bazaar README rendering enables the Lute HTML sanitizer but fails to block tags, allowing stored XSS via srcdoc attributes containing embedded scripts that execute in the Electron context. Affected Package - Ecosystem: Go - Package:...

PT-2026-26097

Stored XSS to RCE via Unsanitized Bazaar Package Metadata Summary SiYuan's Bazaar community marketplace renders package metadata fields displayName, description using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which...

GHSA-V3MG-9V85-FCM7 SiYuan Vulnerable to Remote Code Execution via Malicious Bazaar Package — Marketplace XSS

Remote Code Execution via Malicious Bazaar Package — Marketplace XSS Summary SiYuan's Bazaar community marketplace renders plugin/theme/template metadata and README content without sanitization. A malicious package author can achieve RCE on any user who browses the Bazaar by: 1. Package metadata...

SiYuan Vulnerable to Remote Code Execution via Malicious Bazaar Package — Marketplace XSS

Remote Code Execution via Malicious Bazaar Package — Marketplace XSS Summary SiYuan's Bazaar community marketplace renders plugin/theme/template metadata and README content without sanitization. A malicious package author can achieve RCE on any user who browses the Bazaar by: 1. Package metadata...