CVE-2026-45375
published 2026-05-14CVE-2026-45375: SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar (community marketplace) renders the name and version fields of a…
PriorityP350critical9CVSS 3.1
AVNACLPRLUIRSCCHIHAH
EPSS
0.36%
28.0th percentile
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar (community marketplace) renders the name and version fields of a package's plugin.json (and the equivalent theme.json / template.json / widget.json / icon.json) into the Settings → Marketplace UI without HTML escaping. The kernel-side helper sanitizePackageDisplayStrings in kernel/bazaar/package.go HTML-escapes only Author, DisplayName, and Description — Name and Version flow through to the renderer raw. The frontend at app/src/config/bazaar.ts substitutes them into HTML template strings via ${item.preferredName} / ${data.name} / v${data.version} and assigns the result to innerHTML. As a consequence, malicious HTML in either field is parsed and executed when a user opens the marketplace tab. This vulnerability is fixed in 3.7.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | siyuan-note_siyuan_kernel | 0 – 0.0.0-20260421031503-96dfe0bea474 | — |
| siyuan-note | siyuan | < 3.7.0 | 3.7.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
SiYuan up to 3.6.5 Setting plugin.json cross site scripting (GHSA-27qc-m5gf-jv5r)
vuldb·2026-05-15·CVSS 9.0
CVE-2026-45375 [CRITICAL] SiYuan up to 3.6.5 Setting plugin.json cross site scripting (GHSA-27qc-m5gf-jv5r)
A vulnerability was found in SiYuan up to 3.6.5. It has been classified as problematic. This vulnerability affects unknown code of the file plugin.json of the component Setting Handler. The manipulation leads to cross site scripting.
This vulnerability is listed as CVE-2026-45375. The attack may be initiated remotely. There is no available exploit.
Upgrading the affected component is recommended.
GHSA
SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution
ghsa·2026-05-13
CVE-2026-45375 [CRITICAL] CWE-116 SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution
SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution
### Summary
SiYuan's Bazaar (community marketplace) renders the `name` and `version` fields of a package's `plugin.json` (and the equivalent `theme.json` / `template.json` / `widget.json` / `icon.json`) into the Settings → Marketplace UI without HTML escaping. The kernel-side helper `sanitizePackageDisplayStrings` in `kernel/bazaar/package.go` HTML-escapes only `Author`, `DisplayName`, and `Description` — `Name` and `Version` flow through to the renderer raw. The frontend at `app/src/config/bazaar.ts` substitutes them into HTML template strings via `${item.preferredName}` / `${data.name}` / `v${data.version}` and assigns the result to `innerHTML`. As a conseq
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-14
Published