Impact
SiYuan versions prior to 3.6.1 do not sanitize package metadata and README fields presented in the Bazaar marketplace. Malicious authors can inject arbitrary HTML and JavaScript into these fields, which is then executed within the Electron runtime because nodeIntegration is enabled. The injected code can run OS level commands, resulting in full remote code execution on the local user machine.
Affected Systems
The vulnerability affects the SiYuan application for all users running any version before 3.6.1. No specific build or minor release was singled out; the issue is present across all releases that have not applied the 3.6.1 patch.
Risk and Exploitability
The flaw carries a CVSS score of 9.4, indicating a high-risk vulnerability. The EPSS score is not available, so current real‑world exploitation probability cannot be quantified. It is not listed in the CISA KEV catalog. Attackers must supply a malicious package to the Bazaar marketplace; any user who views that package triggers the payload, so the attack vector is indirect but high impact for users who browse or install Bazaar packages.
OpenCVE Enrichment