CVE 9 CRITICAL

SiYuan: Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution_CVE-2026-45375

May 14, 2026 invoker category_cve
9 / 10
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Description

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar (community marketplace) renders the name and version fields of a package's plugin.json (and the equivalent theme.json / template.json / widget.json / icon.json) into the Settings → Marketplace UI without HTML escaping. The kernel-side helper sanitizePackageDisplayStrings in kernel/bazaar/package.go HTML-escapes only Author, DisplayName, and Description — Name and Version flow through to the renderer raw. The frontend at app/src/config/bazaar.ts substitutes them into HTML template strings via ${item.preferredName} / ${data.name} / v${data.version} and assigns the result to innerHTML. As a consequence, malicious HTML in either field is parsed and executed when a user opens the marketplace tab. This vulnerability is fixed in 3.7.0.

AI Analysis

Stored XSS and Electron code execution vulnerability in SiYuan's Bazaar marketplace due to unescaped package name and version metadata

Basic Information

ID CVE-2026-45375
Source GitHub_M
Published May 14, 2026 at 18:13

Affected Product

Vendor siyuan-note
Product siyuan
Version <= 3.6.5
Affected Versions siyuan-note siyuan <= 3.6.5

CWE Classification

CWE-79 CWE-116

AI Assessment

AI Score 9 / 10
AI Severity Critical
Vendor siyuan-note
Product SiYuan
Version <= 3.6.5

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.