225 matches found
GO-2026-5001 SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution in github.com/siyuan-note/siyuan/kernel
SiYuan Bazaar marketplace renders unescaped package name and version metadata, allowing stored XSS and Electron code execution in github.com/siyuan-note/siyuan/kernel...
PT-2026-42383
SiYuan Bazaar marketplace renders unescaped package name and version metadata, allowing stored XSS and Electron code execution in github.com/siyuan-note/siyuan/kernel...
CVE-2026-45375
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HT...
CVE-2026-45375
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HT...
CVE-2026-44586
SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without escaping. In the desktop app this becomes stored XSS, and because SiYuan's Electron windows a...
CVE-2026-45375
SiYuan’s Bazaar marketplace before version 3.7.0 renders unsanitized package metadata (name, version) from plugin.json (and equivalent theme/template/widget/icon.json) into the Marketplace UI via innerHTML. The kernel sanitizer escapes Author, DisplayName, and Description, but not Name/Version, a...
EUVD-2026-30356
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HT...
CVE-2026-45375 SiYuan: Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HT...
CVE-2026-45375 SiYuan: Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HT...
CVE-2026-44586
SiYuan (desktop) Bazaar marketplace before 3.7.0 renders package author metadata into HTML without escaping, enabling stored XSS. Because Electron windows are created with nodeIntegration: true and contextIsolation: false, a successful payload could access Node.js APIs and run code on the host. A...
EUVD-2026-30354
SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without escaping. In the desktop app this becomes stored XSS, and because SiYuan's Electron windows a...
CVE-2026-44586 SiYuan: Bazaar marketplace renders unescaped package author metadata, allowing XSS and Electron code execution
SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without escaping. In the desktop app this becomes stored XSS, and because SiYuan's Electron windows a...
CVE-2026-44586 SiYuan: Bazaar marketplace renders unescaped package author metadata, allowing XSS and Electron code execution
SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without escaping. In the desktop app this becomes stored XSS, and because SiYuan's Electron windows a...
PT-2026-41017
SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without escaping. In the desktop app this becomes stored XSS, and because SiYuan's Electron windows a...
SiYuan 跨站脚本漏洞
SiYuan is an open-source personal knowledge management system developed by SiYuan. Versions of SiYuan prior to 3.7.0 contained a cross-site scripting vulnerability. This vulnerability occurred because the Bazaar marketplace rendered field names and version fields without proper HTML escaping, whi...
SiYuan 跨站脚本漏洞
SiYuan is an open-source personal knowledge management system developed by SiYuan. Versions of SiYuan from 2.1.12 to 3.7.0 had a cross-site scripting vulnerability. This vulnerability stemmed from unescaped metadata in the Bazaar marketplace rendering packages, which could lead to storage-based...
GHSA-27QC-M5GF-JV5R SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution
Summary SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HTML escaping. The kernel-side helper sanitizePackageDisplayStrings in...
SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution
Summary SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HTML escaping. The kernel-side helper sanitizePackageDisplayStrings in...
YesWiki SQL注入漏洞
YesWiki is a wiki system built with PHP, developed by the French organization YesWiki. It is used for creating and managing websites in a collaborative manner. Versions of YesWiki prior to 4.6.1 had a SQL injection vulnerability. This vulnerability stemmed from the direct concatenation of the...
Wireshark 2.2.x < 2.2.16 Multiple Vulnerabilities (macOS)
The version of Wireshark installed on the remote macOS / Mac OS X host is prior to 2.2.16. It is, therefore, affected by multiple vulnerabilities as referenced in the wireshark-2.2.16 advisory. - In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the Bazaar protocol dissector could...