SiYuan: Bazaar marketplace renders unescaped package author metadata, allowing XSS...

8.3 / 10

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Description

SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without escaping. In the desktop app this becomes stored XSS, and because SiYuan's Electron windows are created with nodeIntegration: true and contextIsolation: false, a successful payload can call Node.js APIs and execute code on the host. This vulnerability is fixed in 3.7.0.

Basic Information

ID CVE-2026-44586

Source GitHub_M

Published May 14, 2026 at 18:11

Modified May 14, 2026 at 19:35

Affected Product

Vendor siyuan-note

Product siyuan

Version >= 2.1.12, < 3.7.0

Affected Versions siyuan-note siyuan >= 2.1.12, < 3.7.0

CWE Classification

CWE-79 CWE-94

References

github.com /siyuan-note/siyuan/security/advisories/GHSA-x6wf-w2rg-2gw9

{
    "lastseen": "",
    "description": "SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without escaping. In the desktop app this becomes stored XSS, and because SiYuan's Electron windows are created with nodeIntegration: true and contextIsolation: false, a successful payload can call Node.js APIs and execute code on the host. This vulnerability is fixed in 3.7.0.",
    "published": "2026-05-14T18:11:49.530Z",
    "modified": "2026-05-14T19:35:27.517Z",
    "type": "cve",
    "title": "SiYuan: Bazaar marketplace renders unescaped package author metadata, allowing XSS and Electron code execution",
    "source": "GitHub_M",
    "references": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-x6wf-w2rg-2gw9",
    "id": "CVE-2026-44586",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79",
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "siyuan-note siyuan >= 2.1.12, < 3.7.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.3,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "siyuan",
    "version": ">= 2.1.12, < 3.7.0",
    "vendor": "siyuan-note",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

SiYuan: Bazaar marketplace renders unescaped package author metadata, allowing XSS and Electron code execution_CVE-2026-44586