CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

NVD•added 3 days ago•8 views

CVE-2026-56395

9.6CVSS0.00391EPSS

EUVD•added 3 days ago•8 views

EUVD-2026-38163

ATTACKERKB•added 3 days ago•6 views

CVE-2026-56397

CVE•added 3 days ago•19 views

Exploits0References3

CVE-2026-56397

CVE-2026-56397 affects SiYuan prior to v3.6.1 where Bazaar marketplace metadata and README aren’t sanitized, allowing malicious authors to inject HTML/JavaScript. This can enable remote code execution on users browsing Bazaar by embedding XSS payloads in displayName, description, or README, takin...

EUVD•added 3 days ago•7 views

EUVD-2026-38161

ATTACKERKB•added 3 days ago•6 views

CVE-2026-56395

Cvelist•added 3 days ago•30 views

Exploits0References3

CVE-2026-56395 SiYuan - Remote Code Execution via Malicious Bazaar Package Metadata and README

9.6CVSS0.00391EPSS

CVE•added 3 days ago•16 views

CVE-2026-56395

SiYuan exposes a vulnerability (CVE-2026-56395) where SieYuan versions prior to 3.6.1 fail to sanitize Bazaar marketplace metadata and README content, enabling arbitrary HTML/JavaScript injection. The underlying issue is improper sanitization of package displayName, description, or README fields,...

RedhatCVE•added 2026/06/05 7:12 p.m.•5 views

CVE-2026-44586

SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without escaping. In the desktop app this becomes stored XSS, and because SiYuan's Electron windows a...

8.3CVSS5.7AI score0.00307EPSS

OSV•added 2026/05/20 7:7 p.m.•7 views

GO-2026-5001 SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution in github.com/siyuan-note/siyuan/kernel

SiYuan Bazaar marketplace renders unescaped package name and version metadata, allowing stored XSS and Electron code execution in github.com/siyuan-note/siyuan/kernel...

9CVSS6.2AI score0.00361EPSS

Positive Technologies•added 2026/05/20 12:0 a.m.•10 views

PT-2026-42383

SiYuan Bazaar marketplace renders unescaped package name and version metadata, allowing stored XSS and Electron code execution in github.com/siyuan-note/siyuan/kernel...

9CVSS6.2AI score0.00361EPSS

Exploits0References3

RedhatCVE•added 2026/05/16 1:57 a.m.•11 views

CVE-2026-45375

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HT...

NVD•added 2026/05/14 7:16 p.m.•12 views

CVE-2026-45375

9CVSS0.00361EPSS

NVD•added 2026/05/14 7:16 p.m.•11 views

CVE-2026-44586

8.3CVSS0.00307EPSS

Cvelist•added 2026/05/14 6:13 p.m.•30 views

CVE-2026-45375 SiYuan: Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution

9CVSS0.00361EPSS

EUVD•added 2026/05/14 6:13 p.m.•5 views

EUVD-2026-30356

Vulnrichment•added 2026/05/14 6:13 p.m.•5 views

CVE-2026-45375 SiYuan: Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution

CVE•added 2026/05/14 6:13 p.m.•14 views

CVE-2026-45375

SiYuan’s Bazaar marketplace before version 3.7.0 renders unsanitized package metadata (name, version) from plugin.json (and equivalent theme/template/widget/icon.json) into the Marketplace UI via innerHTML. The kernel sanitizer escapes Author, DisplayName, and Description, but not Name/Version, a...

EUVD•added 2026/05/14 6:11 p.m.•8 views

EUVD-2026-30354

8.3CVSS6AI score0.00307EPSS