Remote Code Execution Vulnerability in SiYuan Bazaar Marketplace
CVE-2026-56397

9.4CRITICAL

Key Information:

Vendor: Siyuan
Status: Siyuan
Vendor: CVE Published:; 21 June 2026

What is CVE-2026-56397?

The SiYuan application prior to version 3.6.1 suffers from a significant vulnerability in the Bazaar marketplace, as it inadequately sanitizes package metadata and README content. This flaw enables malicious authors to inject arbitrary HTML and JavaScript into their packages. By exploiting the lack of proper validation, an attacker can embed cross-site scripting (XSS) payloads into the package displayName, description, or README fields. If a user interacts with these compromised packages, they may unknowingly execute arbitrary OS commands due to Electron's nodeIntegration setting, leading to severe security risks.

Affected Version(s)

SiYuan 0 < 3.6.1

SiYuan 3.6.1

References

https://github.com/siyuan-note/siyuan/security/advisories...

vendor-advisory

https://www.vulncheck.com/advisories/siyuan-remote-code-e...

third-party-advisory

CVSS V4

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 21, 2026
Vulnerability Reserved
Jun 21, 2026

Credit

0xkakash1

CVE-2026-56397 Data

JSON

Siyuan

What is CVE-2026-56397?

Affected Version(s)

References

CVSS V4

Timeline

Credit