GHSA-MVPM-V6Q4-M2PF SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata

Stored XSS to RCE via Unsanitized Bazaar Package Metadata Summary SiYuan's Bazaar community marketplace renders package metadata fields displayName, description using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which...

SiYuan Vulnerable to Remote Code Execution via Malicious Bazaar Package — Marketplace XSS

Remote Code Execution via Malicious Bazaar Package — Marketplace XSS Summary SiYuan's Bazaar community marketplace renders plugin/theme/template metadata and README content without sanitization. A malicious package author can achieve RCE on any user who browses the Bazaar by: 1. Package metadata...

GHSA-QR46-RCV3-4HQ3 SiYuan Vulnerable to Remote Code Execution via Stored XSS in Notebook Name - Mobile Interface

Remote Code Execution via Stored XSS in Notebook Name - Mobile Interface Summary SiYuan's mobile file tree MobileFiles.ts renders notebook names via innerHTML without HTML escaping when processing renamenotebook WebSocket events. The desktop version Files.ts properly uses escapeHtml for the same...

PT-2026-25826

Name of the Vulnerable Software and Affected Versions SiYuan versions 3.6.0 and below SiYuan versions prior to 3.6.1 Description SiYuan is a personal knowledge management system. The mobile file tree component MobileFiles.ts renders notebook names using innerHTML without proper HTML escaping when...

EUVD-2019-8356

Malware in sbrugna...

EUVD-2020-8569

Malware in sbrugna...

EUVD-2018-1933

Malware in sbrugna...

EUVD-2020-18783

Malware in sbrugna...

EUVD-2017-1605

Malware in sbrugna...

EUVD-2020-18784

Malware in sbrugna...

EUVD-2022-4421

Malicious code in bioql PyPI...

CVE-2024-3166

A Cross-Site Scripting XSS vulnerability exists in mintplex-labs/anything-llm, affecting both the desktop application version 1.2.0 and the latest version of the web application. The vulnerability arises from the application's feature to fetch and embed content from websites into workspaces, whic...

CVE-2022-41709

Markdownify version 1.4.1 allows an external attacker to execute arbitrary code remotely on any client attempting to view a malicious markdown file through Markdownify. This is possible because the application has the "nodeIntegration" option enabled...

CVE-2022-40274

Gridea version 0.9.3 allows an external attacker to execute arbitrary code remotely on any client attempting to view a malicious markdown file through Gridea. This is possible because the application has the 'nodeIntegration' option enabled...

CVE-2020-8548

massCode 1.0.0-alpha.6 allows XSS via crafted Markdown text, with resultant remote code execution because nodeIntegration in webPreferences is true...

CVE-2020-15215

Electron before versions 11.0.0-beta.6, 10.1.2, 9.3.1 or 8.5.2 is vulnerable to a context isolation bypass. Apps using both contextIsolation and sandbox: true are affected. Apps using both contextIsolation and nodeIntegrationInSubFrames: true are affected. This is a context isolation bypass,...

CVE-2020-16608

Notable 1.8.4 allows XSS via crafted Markdown text, with resultant remote code execution because nodeIntegration in webPreferences is true...

CVE-2020-26157

Leanote Desktop through 2.6.2 allows XSS because a note's title is mishandled during syncing. This leads to remote code execution because of Node integration...

CVE-2017-1000491

Shiba markdown live preview app version 1.1.0 is vulnerable to XSS which leads to code execution due to enabled node integration...

CVE-2017-1000492

Leanote-desktop version v2.5 is vulnerable to a XSS which leads to code execution due to enabled node integration...