Remote Code Execution Vulnerability in SiYuan Bazaar Marketplace
CVE-2026-56395

9.4CRITICAL

Key Information:

Vendor: Siyuan
Status: Siyuan
Vendor: CVE Published:; 21 June 2026

What is CVE-2026-56395?

In SiYuan versions prior to 3.6.1, a vulnerability exists that enables malicious package authors to exploit unsanitized package metadata and README content within the Bazaar marketplace. This flaw permits an attacker to inject arbitrary HTML and JavaScript code, which can lead to remote code execution for users accessing the Bazaar. By embedding XSS payloads in the displayName, description, or README fields of packages, adversaries can leverage Electron's nodeIntegration feature to run operating system commands on the victim's device.

Affected Version(s)

SiYuan 0 < 3.6.1

SiYuan 3.6.1

References

https://github.com/siyuan-note/siyuan/security/advisories...

vendor-advisory

https://www.vulncheck.com/advisories/siyuan-remote-code-e...

third-party-advisory

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 21, 2026
Vulnerability Reserved
Jun 21, 2026

Credit

0xkakash1

CVE-2026-56395 Data

JSON

Siyuan

What is CVE-2026-56395?

Affected Version(s)

References

CVSS V4

Timeline

Credit