Lucene search
K

383 matches found

EUVD
EUVD
added 5 days ago7 views

EUVD-2026-39126

SiYuan: Stored XSS in Bazaar marketplace via package README event handlers...

7.1CVSS6.1AI score0.0018EPSS
Exploits0References2
OSV
OSV
added 6 days ago2 views

CVE-2026-59833 SiYuan: Stored XSS to RCE in SiYuan via a per-attribute URL-scheme sanitizer gap in Lute (form action / SVG xlink:href)

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, SiYuan renders note and package content to HTML through the Lute engine with sanitization enabled, but Lute's dangerous javascript scheme block does not check form action or SVG xlink:href attributes, allowing stored...

8.6CVSS6.1AI score0.00388EPSS
Exploits0References5
OSSF Malicious Packages
OSSF Malicious Packages
added 6 days ago10 views

Malicious code in polymarket-kelly-stake-math (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9798cce0effcbcf5ed3295f322a375bb1a3cbb7e9db4b7d88c802bf5116639e3 [email protected] advertises itself as a pure Kelly-stake math helper but its postinstall hook scripts/install-check.cjs, invoked fro...

6.5AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 6 days ago8 views

PT-2026-57008

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.7.1 Description SiYuan uses the Lute engine to render note and package content into HTML. A flaw in the sanitization process occurs because the dangerous javascript scheme block fails to validate the form action and...

8.6CVSS6.1AI score0.00388EPSS
Exploits0References5
OSV
OSV
added 2026/06/29 4:9 a.m.12 views

MAL-2026-6566 Malicious code in date-uuid (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 58dffbe61370f78deed5bacbc8f6bc46a8a989f03da218643a41b52ed025fa6a Package advertised as a UUIDv7 helper, but on require/import it auto-invokes extractDateISO in bootstrap.js, which reads README.md from process.cwd,...

5.8AI score
Exploits0References5
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/29 4:9 a.m.11 views

Malicious code in date-uuid (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 58dffbe61370f78deed5bacbc8f6bc46a8a989f03da218643a41b52ed025fa6a Package advertised as a UUIDv7 helper, but on require/import it auto-invokes extractDateISO in bootstrap.js, which reads README.md from process.cwd,...

5.8AI score
Exploits0References5
NVD
NVD
added 2026/06/24 10:16 p.m.9 views

CVE-2026-54070

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, renderPackageREADME in kernel/bazaar/readme.go renders a Bazaar package README from Markdown to HTML with the lute engine and SetSanitizetrue. The lute sanitizer is an event-handler blocklist: allowAttr rejects only...

7.1CVSS0.0018EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/24 9:21 p.m.20 views

CVE-2026-54759 SiYuan: Lute HTML sanitizer allows `<iframe>` tags in Bazaar package README, leading to arbitrary command execution via SiYuan Electron client

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, Lute's HTML sanitizer does not remove elements. Combined with the SiYuan Electron client's permissive security configuration, an attacker can include a malicious in a Bazaar package README that executes arbitrary...

8.7CVSS0.00262EPSS
Exploits0References1
CVE
CVE
added 2026/06/24 9:21 p.m.12 views

CVE-2026-54759

SiYuan’s Lute HTML sanitizer (prior to version 3.7.0) fails to remove elements. When combined with the SiYuan Electron client’s permissive security configuration, a malicious in a Bazaar package README can trigger arbitrary command execution on the victim’s machine when package details are view...

8.7CVSS6.1AI score0.00262EPSS
Exploits0References1
OSV
OSV
added 2026/06/24 9:21 p.m.4 views

CVE-2026-54759 SiYuan: Lute HTML sanitizer allows `<iframe>` tags in Bazaar package README, leading to arbitrary command execution via SiYuan Electron client

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, Lute's HTML sanitizer does not remove elements. Combined with the SiYuan Electron client's permissive security configuration, an attacker can include a malicious in a Bazaar package README that executes arbitrary...

8.7CVSS6.1AI score0.00262EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/24 9:18 p.m.18 views

CVE-2026-54070 SiYuan: Stored XSS in Bazaar marketplace via package README event handlers

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, renderPackageREADME in kernel/bazaar/readme.go renders a Bazaar package README from Markdown to HTML with the lute engine and SetSanitizetrue. The lute sanitizer is an event-handler blocklist: allowAttr rejects only...

7.1CVSS0.0018EPSS
Exploits0References1
OSV
OSV
added 2026/06/24 9:18 p.m.2 views

CVE-2026-54070 SiYuan: Stored XSS in Bazaar marketplace via package README event handlers

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, renderPackageREADME in kernel/bazaar/readme.go renders a Bazaar package README from Markdown to HTML with the lute engine and SetSanitizetrue. The lute sanitizer is an event-handler blocklist: allowAttr rejects only...

7.1CVSS6AI score0.0018EPSS
Exploits0References3
CVE
CVE
added 2026/06/24 9:18 p.m.16 views

CVE-2026-54070

CVE-2026-54070 — SiYuan : A Stored XSS in the Bazaar marketplace path arises before v3.7.0. renderPackageREADME converts Markdown READMEs to HTML using lute with SetSanitize(true), but the event-handler blocklist misses several modern handlers, allowing attributes like onpointerover, onpointerdow...

7.1CVSS5.9AI score0.0018EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.13 views

PT-2026-52110

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.7.0 Description The renderPackageREADME function in kernel/bazaar/readme.go renders Bazaar package READMEs from Markdown to HTML using the lute engine. The sanitizer uses a blocklist that omits modern event handlers,...

7.1CVSS6.2AI score0.0018EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.13 views

PT-2026-52112

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.7.0 Description Lute's HTML sanitizer fails to remove elements. When combined with the permissive security configuration of the SiYuan Electron client, this allows an attacker to embed a malicious within a Bazaar...

8.7CVSS6.1AI score0.00262EPSS
Exploits0References3
NVD
NVD
added 2026/06/21 2:16 p.m.12 views

CVE-2026-56395

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...

9.6CVSS0.00391EPSS
Exploits0References2
NVD
NVD
added 2026/06/21 2:16 p.m.13 views

CVE-2026-56397

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...

9.6CVSS0.00391EPSS
Exploits0References2
OSV
OSV
added 2026/06/21 1:27 p.m.4 views

CVE-2026-56397 SiYuan - Remote Code Execution via Malicious Bazaar Package Metadata and README

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...

9.4CVSS6.8AI score0.00391EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/06/21 1:27 p.m.7 views

CVE-2026-56397

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...

9.6CVSS6.7AI score0.00391EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/21 1:27 p.m.12 views

EUVD-2026-38163

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...

9.6CVSS6.7AI score0.00391EPSS
Exploits0References2
Rows per page
Query Builder