Description
SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package displayName, description, or README fields, exploiting Electron's nodeIntegration setting to execute OS commands.
Published: 2026-06-21
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SiYuan before version 3.6.1 does not sanitize the displayName, description, or README fields for packages in its Bazaar marketplace. This oversight allows a malicious package author to inject arbitrary HTML and JavaScript directly into the UI. Because the Electron environment of SiYuan has nodeIntegration enabled, the injected code can execute native operating system commands, providing attackers with full remote code execution on the client machine.

Affected Systems

All installations of the SiYuan note‑taking application with a Bazaar marketplace component running a version older than 3.6.1 are potentially affected. The vulnerability specifically targets the package metadata and README rendering process in the Bazaar interface.

Risk and Exploitability

The CVSS score of 9.4 indicates a high‑severity risk. Although no EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog, the impact is substantial: any user who opens or examines a malicious package will have the opportunity to execute arbitrary code. The likely attack vector is the Bazaar marketplace, where the attacker uploads a package with crafted metadata; once viewed, the payload runs under the user's privileges, potentially compromising the entire host system.

Generated by OpenCVE AI on June 21, 2026 at 16:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SiYuan to version 3.6.1 or later to apply the vendor patch that sanitizes package metadata.
  • Remove or quarantine any Bazaar packages that contain suspicious or unfamiliar content, especially those with abnormal README text or multiple script tags.
  • Disable or restrict the use of the Bazaar marketplace until further notice, or configure the application to allow only trusted or signed packages.

Generated by OpenCVE AI on June 21, 2026 at 16:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Siyuan
Siyuan siyuan
Vendors & Products Siyuan
Siyuan siyuan

Sun, 21 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package displayName, description, or README fields, exploiting Electron's nodeIntegration setting to execute OS commands.
Title SiYuan - Remote Code Execution via Malicious Bazaar Package Metadata and README
First Time appeared B3log
B3log siyuan
Weaknesses CWE-79
CPEs cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*
Vendors & Products B3log
B3log siyuan
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-24T15:35:50.419Z

Reserved: 2026-06-21T12:37:58.434Z

Link: CVE-2026-56397

cve-icon Vulnrichment

Updated: 2026-06-24T15:35:11.961Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-21T18:00:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')