CVE-2026-56395
CRITICALSiYuan - Remote Code Execution via Malicious Bazaar Package Metadata and README
Title source: cnaDescription
SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package displayName, description, or README fields, exploiting Electron's nodeIntegration setting to execute OS commands.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
GHSA Advisory GHSA-v3mg-9v85-fcm7
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-v3mg-9v85-fcm7
Third Party Advisory third-party-advisory
VulnCheck Advisory: SiYuan - Remote Code Execution via Malicious Bazaar Package Metadata and README
https://www.vulncheck.com/advisories/siyuan-remote-code-execution-via-malicious-bazaar-package-metadata-and-readme
Scores
CVSS v3
9.6
EPSS
0.0039
EPSS Percentile
31.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-79
Status
published
Products (2)
SiYuan/SiYuan
< 3.6.1
SiYuan/SiYuan
3.6.1
Published
Jun 21, 2026
Tracked Since
Jun 21, 2026