Description
SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package displayName, description, or README fields, exploiting Electron's nodeIntegration setting to execute OS commands.
Published: 2026-06-21
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SiYuan versions prior to 3.6.1 do not sanitize package metadata and README fields presented in the Bazaar marketplace. Malicious authors can inject arbitrary HTML and JavaScript into these fields, which is then executed within the Electron runtime because nodeIntegration is enabled. The injected code can run OS level commands, resulting in full remote code execution on the local user machine.

Affected Systems

The vulnerability affects the SiYuan application for all users running any version before 3.6.1. No specific build or minor release was singled out; the issue is present across all releases that have not applied the 3.6.1 patch.

Risk and Exploitability

The flaw carries a CVSS score of 9.4, indicating a high-risk vulnerability. The EPSS score is not available, so current real‑world exploitation probability cannot be quantified. It is not listed in the CISA KEV catalog. Attackers must supply a malicious package to the Bazaar marketplace; any user who views that package triggers the payload, so the attack vector is indirect but high impact for users who browse or install Bazaar packages.

Generated by OpenCVE AI on June 21, 2026 at 16:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install SiYuan version 3.6.1 or later, which remediates the metadata sanitization flaw.
  • Limit Bazaar marketplace usage to trusted or verified authors, or disable the marketplace entirely if not needed for your workflow.
  • Configure the Electron application to disable nodeIntegration by setting the relevant webPreferences option to false, preventing execution of injected scripts from untrusted content.

Generated by OpenCVE AI on June 21, 2026 at 16:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package displayName, description, or README fields, exploiting Electron's nodeIntegration setting to execute OS commands.
Title SiYuan - Remote Code Execution via Malicious Bazaar Package Metadata and README
First Time appeared B3log
B3log siyuan
Weaknesses CWE-79
CPEs cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*
Vendors & Products B3log
B3log siyuan
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T10:29:04.706Z

Reserved: 2026-06-21T12:37:58.434Z

Link: CVE-2026-56395

cve-icon Vulnrichment

Updated: 2026-06-22T10:28:45.953Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-21T19:30:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')