CRITICALVulnerability
Verified
Global

NVD CRITICAL: CVE-2026-56397 — SiYuan before v3.6.1 fails to sanitize package metadata and README content in th...

·Source: NIST NVD

Updated:

Executive Summary

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package displayName, description, or README fields, exploiting Electron's nodeIntegration setting to execute OS comma

Analysis

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package displayName, description, or README fields, exploiting Electron's nodeIntegration setting to execute OS commands. CVSS Score: 9.6. Published: 2026-06-21T14:16:26.783.

Indicators of Compromise (1)

CVE (1)
CVE-2026-56397
Source Attribution

Originally published by NIST NVD on Jun 21, 2026. Verified by: NIST.

Related Threats