Lucene search
K

11 matches found

NVD
NVD
added 2026/06/21 2:16 p.m.11 views

CVE-2026-56395

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...

9.6CVSS0.00391EPSS
Exploits0References2
CVE
CVE
added 2026/06/21 1:27 p.m.30 views

CVE-2026-56397

CVE-2026-56397 affects SiYuan prior to v3.6.1 where Bazaar marketplace metadata and README aren’t sanitized, allowing malicious authors to inject HTML/JavaScript. This can enable remote code execution on users browsing Bazaar by embedding XSS payloads in displayName, description, or README, takin...

9.6CVSS6.7AI score0.00391EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/21 1:27 p.m.7 views

EUVD-2026-38161

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...

9.6CVSS6.7AI score0.00391EPSS
Exploits0References2
CVE
CVE
added 2026/06/21 1:27 p.m.28 views

CVE-2026-56395

SiYuan exposes a vulnerability (CVE-2026-56395) where SieYuan versions prior to 3.6.1 fail to sanitize Bazaar marketplace metadata and README content, enabling arbitrary HTML/JavaScript injection. The underlying issue is improper sanitization of package displayName, description, or README fields,...

9.6CVSS6.7AI score0.00391EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/21 12:0 a.m.22 views

PT-2026-51236

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.1 Description SiYuan fails to sanitize package metadata and README content within the Bazaar marketplace. This allows malicious authors to inject arbitrary HTML and JavaScript into the displayName, description, or...

9.6CVSS6.7AI score0.00391EPSS
Exploits0References7
NVD
NVD
added 2026/05/14 7:16 p.m.19 views

CVE-2026-44586

SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without escaping. In the desktop app this becomes stored XSS, and because SiYuan's Electron windows a...

8.3CVSS0.00307EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/14 6:13 p.m.8 views

CVE-2026-45375 SiYuan: Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HT...

9CVSS5.8AI score0.00361EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/14 12:0 a.m.8 views

SiYuan 跨站脚本漏洞

SiYuan is an open-source personal knowledge management system developed by SiYuan. Versions of SiYuan prior to 3.7.0 contained a cross-site scripting vulnerability. This vulnerability occurred because the Bazaar marketplace rendered field names and version fields without proper HTML escaping, whi...

9CVSS5.7AI score0.00361EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/14 12:0 a.m.14 views

SiYuan 跨站脚本漏洞

SiYuan is an open-source personal knowledge management system developed by SiYuan. Versions of SiYuan from 2.1.12 to 3.7.0 had a cross-site scripting vulnerability. This vulnerability stemmed from unescaped metadata in the Bazaar marketplace rendering packages, which could lead to storage-based...

8.3CVSS5.9AI score0.00307EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/20 8:14 a.m.26 views

CVE-2026-33067 SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata

SiYuan is a personal knowledge management system. Versions 3.6.0 and below render package metadata fields displayName, description using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which executes automatically when an...

5.3CVSS0.00549EPSS
Exploits2References1
Vulnrichment
Vulnrichment
added 2026/03/20 8:14 a.m.2 views

CVE-2026-33067 SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata

SiYuan is a personal knowledge management system. Versions 3.6.0 and below render package metadata fields displayName, description using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which executes automatically when an...

5.3CVSS6AI score0.00549EPSS
Exploits2References1
Rows per page
Query Builder