CVE-2026-45375

CRITICAL EPSS 28.0%
Published May 14, 20261mo ago · Modified Jun 17, 20262w ago
9.0 CVSS 3.1
Critical
Find Similar
Published May 14, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar (community marketplace) renders the name and version fields of a package's plugin.json (and the equivalent theme.json / template.json / widget.json / icon.json) into the Settings → Marketplace UI without HTML escaping. The kernel-side helper sanitizePackageDisplayStrings in kernel/bazaar/package.go HTML-escapes only Author, DisplayName, and Description — Name and Version flow through to the renderer raw. The frontend at app/src/config/bazaar.ts substitutes them into HTML template strings via ${item.preferredName} / ${data.name} / v${data.version} and assigns the result to innerHTML. As a consequence, malicious HTML in either field is parsed and executed when a user opens the marketplace tab. This vulnerability is fixed in 3.7.0.

CVSS Details

Base Score
9.0
Exploitability
2.3
Impact
6.0
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Changed
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
28.0% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 2

CWE-116
CWE-79 Cross-site Scripting Injection

References 1

  • github.com https://github.com/siyuan-note/siyuan/security/advisories/GHSA-27qc-m5gf-jv5r

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.