Skip to main content

SiYuan EUVDEUVD-2026-38161

| CVE-2026-56395 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-06-21 VulnCheck GHSA-9f8r-gfgq-cjhm
9.4
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.6 CRITICAL

Network-delivered via marketplace fetch with no attacker auth (PR:N), trivial complexity (AC:L), victim must browse Bazaar (UI:R); renderer XSS escapes via Electron nodeIntegration to full OS impact, justifying S:C and C/I/A:H.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
CVE Published
Jun 22, 2026 - 07:50 cve.org
CRITICAL 9.4
Source Code Evidence Fetched
Jun 22, 2026 - 06:09 vuln.today
Analysis Generated
Jun 22, 2026 - 06:09 vuln.today
Patch available
Jun 21, 2026 - 15:31 EUVD

DescriptionCVE.org

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package displayName, description, or README fields, exploiting Electron's nodeIntegration setting to execute OS commands.

AnalysisAI

Remote code execution in SiYuan note-taking application before v3.6.1 occurs when users browse the built-in Bazaar marketplace, because package metadata (displayName, description) and README content are rendered without HTML sanitization. Because the Electron shell ships with nodeIntegration:true and contextIsolation:false, an injected script in the renderer executes arbitrary OS commands as the user. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Publish malicious Bazaar package with XSS in metadata/README
Delivery
Victim opens SiYuan Bazaar view
Exploit
Unescaped innerHTML renders payload in Electron renderer
Execution
nodeIntegration grants require('child_process')
Persist
Spawn OS command as user
Impact
Exfiltrate notes or stage persistence

Vulnerability AssessmentAI

Exploitation The attacker must be able to publish (or have already published) a package in SiYuan's community Bazaar marketplace with malicious content in the displayName, description, or README fields. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Vendor CVSS 4.0 base score is 9.4 (Critical) with AV:N, AC:L, AT:N, PR:N, UI:A and full VC/VI/VA plus SC/SI/SA = High, accurately reflecting that a single user action (opening the Bazaar) leads to host compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes a Bazaar package whose displayName or description contains an HTML payload such as an img tag with an onerror handler that calls require('child_process').exec to run an attacker-chosen command. When any SiYuan user opens the Bazaar tab, the package list renders the unescaped metadata into innerHTML, the payload executes in the Electron renderer, and because nodeIntegration is enabled the command runs with the user's OS privileges, allowing data theft, ransomware staging, or persistence. …
Remediation Vendor-released patch: upgrade to SiYuan 3.6.1 or later, available from the project release channel and referenced in GHSA-v3mg-9v85-fcm7 (https://github.com/siyuan-note/siyuan/security/advisories/GHSA-v3mg-9v85-fcm7). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Siyuan

View all
CVE-2024-53507 CRITICAL POC
9.8 Nov 29

A SQL injection vulnerability was discovered in Siyuan 3.1.11 in /getHistoryItems. Rated critical severity (CVSS 9.8), t

CVE-2024-53506 CRITICAL POC
9.8 Nov 29

A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the ids array parameter in /batchGetBlockAttrs. R

CVE-2024-53505 CRITICAL POC
9.8 Nov 29

A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the id parameter at /getAssetContent. Rated criti

CVE-2024-53504 CRITICAL POC
9.8 Nov 29

A SQL injection vulnerability has been identified in Siyuan 3.1.11 via the notebook parameter in /searchHistory. Rated c

CVE-2026-23852 CRITICAL POC
9.6 Jan 19

SiYuan personal knowledge management system prior to 3.5.4 has a stored XSS vulnerability (CVSS 9.6) that allows code ex

CVE-2026-54069 CRITICAL POC
9.2 Jun 24

Origin-validation bypass in SiYuan Note (open-source personal knowledge management) before 3.7.0 lets any installed Chro

CVE-2026-29183 CRITICAL POC
9.3 Mar 06

Reflected XSS in SiYuan knowledge management before 3.5.9.

CVE-2026-25539 CRITICAL POC
9.1 Feb 04

SiYuan knowledge management system prior to 3.5.5 has a path traversal in /api/file/copyFile allowing arbitrary file ope

CVE-2024-2692 CRITICAL POC
9.0 Apr 04

SiYuan version 3.0.3 allows executing arbitrary commands on the server. Rated critical severity (CVSS 9.0), this vulnera

CVE-2026-29073 HIGH POC
8.8 Mar 06

SQL injection in SiYuan prior to version 3.6.0 allows any authenticated user, including those with read-only access, to

CVE-2026-34605 HIGH POC
8.6 Mar 31

Cross-site scripting (XSS) in SiYuan personal knowledge management system versions 3.6.0-3.6.1 allows remote attackers t

CVE-2026-54066 HIGH POC
7.5 Jun 24

Arbitrary file disclosure in SiYuan personal knowledge management system before 3.7.0 lets an unauthenticated remote att

Share

EUVD-2026-38161 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy