Impact
SiYuan before version 3.6.1 does not sanitize the displayName, description, or README fields for packages in its Bazaar marketplace. This oversight allows a malicious package author to inject arbitrary HTML and JavaScript directly into the UI. Because the Electron environment of SiYuan has nodeIntegration enabled, the injected code can execute native operating system commands, providing attackers with full remote code execution on the client machine.
Affected Systems
All installations of the SiYuan note‑taking application with a Bazaar marketplace component running a version older than 3.6.1 are potentially affected. The vulnerability specifically targets the package metadata and README rendering process in the Bazaar interface.
Risk and Exploitability
The CVSS score of 9.4 indicates a high‑severity risk. Although no EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog, the impact is substantial: any user who opens or examines a malicious package will have the opportunity to execute arbitrary code. The likely attack vector is the Bazaar marketplace, where the attacker uploads a package with crafted metadata; once viewed, the payload runs under the user's privileges, potentially compromising the entire host system.
OpenCVE Enrichment