CVE-2026-44586 - Vulnerability Details

- SiYuan: Bazaar marketplace renders unescaped package author metadata, allowing XSS and Electron code execution

Description

SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without escaping. In the desktop app this becomes stored XSS, and because SiYuan's Electron windows are created with nodeIntegration: true and contextIsolation: false, a successful payload can call Node.js APIs and execute code on the host. This vulnerability is fixed in 3.7.0.

Published: 2026-05-14

Score: 8.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

SiYuan’s Bazaar marketplace displays package author metadata directly in the application’s HTML without proper escaping. When a malicious package includes harmful author fields, the data is persisted as a stored XSS vector. Because the Electron renderer windows are created with nodeIntegration enabled and contextIsolation disabled, the XSS payload gains access to Node.js APIs and can execute arbitrary code on the user’s machine, resulting in remote code execution. The vulnerability originates from CWE‑79 (Unvalidated HTML or Script Injection) and amplification via CWE‑94 (Improper Control of Generation of Code).

Affected Systems

The affected builds are all SiYuan releases from version 2.1.12 up to, but not including, 3.7.0. Users who have installed or viewed packages in the Bazaar marketplace during this period are potentially exposed. No earlier or later versions are impacted.

Risk and Exploitability

With a CVSS score of 8.3 this flaw is categorized as high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating no known public exploit today. Nevertheless, the attack path is straightforward: any user who visits or installs a malicious package will trigger the stored XSS, allowing the attacker to run Node.js code because of the insecure Electron configuration. The consequence is full control over the host system.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

siyuan-note

siyuan

affected

Version	Status	Constraints
`>= 2.1.12, < 3.7.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to SiYuan version 3.7.0 or later, which removes the insecure rendering path.
If an upgrade cannot be performed immediately, disable or remove the Bazaar marketplace to prevent loading of unsafe author metadata.
Reconfigure the SiYuan Electron windows to enable contextIsolation and disable nodeIntegration so that renderer processes cannot access Node.js APIs.
Avoid installing packages from untrusted authors and monitor for any unauthorized content appearing in the marketplace.

Generated by OpenCVE AI on May 14, 2026 at 21:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00052.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-x6wf-w2rg-2gw9

History

Thu, 14 May 2026 21:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 14 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without escaping. In the desktop app this becomes stored XSS, and because SiYuan's Electron windows are created with nodeIntegration: true and contextIsolation: false, a successful payload can call Node.js APIs and execute code on the host. This vulnerability is fixed in 3.7.0.
Title		SiYuan: Bazaar marketplace renders unescaped package author metadata, allowing XSS and Electron code execution
Weaknesses		CWE-79 CWE-94
References		https://github.com/siyuan-note/siyuan/security/advisories/GHSA-x6wf-w2rg-2gw9
Metrics		cvssV3_1 `{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-14T18:11:49.530Z

Updated: 2026-05-14T19:35:27.517Z

Reserved: 2026-05-06T21:49:12.425Z

Link: CVE-2026-44586

Vulnrichment

Updated: 2026-05-14T19:35:10.686Z

NVD

Status : Deferred

Published: 2026-05-14T19:16:37.727

Modified: 2026-05-14T21:22:56.313

Link: CVE-2026-44586

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-14T21:15:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object