CVE-2026-56397

CRITICAL

SiYuan - Remote Code Execution via Malicious Bazaar Package Metadata and README

Title source: cna
STIX 2.1

Description

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package displayName, description, or README fields, exploiting Electron's nodeIntegration setting to execute OS commands.

References (2)

Core 2
Core References
Vendor Advisory vendor-advisory
GHSA Advisory GHSA-v3mg-9v85-fcm7
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-v3mg-9v85-fcm7
Third Party Advisory third-party-advisory
VulnCheck Advisory: SiYuan - Remote Code Execution via Malicious Bazaar Package Metadata and README
https://www.vulncheck.com/advisories/siyuan-remote-code-execution-via-malicious-bazaar-package-metadata-and-readme-2

Scores

CVSS v3 9.6
EPSS 0.0039
EPSS Percentile 31.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-79
Status published
Products (2)
SiYuan/SiYuan < 3.6.1
SiYuan/SiYuan 3.6.1
Published Jun 21, 2026
Tracked Since Jun 21, 2026