Cross-Site Scripting Vulnerability in SiYuan Personal Knowledge Management System
CVE-2026-45375

9CRITICAL

Key Information:

Vendor: Siyuan-note
Status: Siyuan
Vendor: CVE Published:; 14 May 2026

🔔 Create Siyuan-note Vulnerability Alert

What is CVE-2026-45375?

SiYuan, an open-source personal knowledge management system, contains a vulnerability in its Bazaar marketplace feature. Prior to version 3.7.0, the application fails to properly escape the name and version fields of a package's JSON files, exposing users to potential cross-site scripting (XSS) attacks. This occurs when an attacker injects malicious HTML within the name or version fields, allowing the crafted content to be executed in the user's browser when they access the marketplace tab. This flaw underscores the importance of robust input validation and output encoding.

Affected Version(s)

siyuan <= 3.6.5

References

https://github.com/siyuan-note/siyuan/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 12, 2026

CVE-2026-45375 Data

JSON