Revanth011

**Name of the Vulnerable Software and Affected Versions** SiYuan versions prior to 0.0.0-20260421031503-96dfe0bea474 **Description** A stored cross-site scripting (XSS) issue exists in the Bazaar marketplace. The application fails to sanitize the `name` and `version` fields in package metadata files (such as `plugin.json`, `theme.json`, `template.json`, `widget.json`, and `icon.json`). These unsanitized fields are rendered directly into the Marketplace UI via the `innerHTML` property in the `app/src/config/bazaar.ts` file, specifically through variables like `preferredName`, `name`, and `version`. In the desktop client, this is escalated to arbitrary OS command execution because the Electron renderer is configured with `nodeIntegration: true`, `contextIsolation: false`, and `webSecurity: false`. This allows an attacker to use Node.js APIs, such as `require('child process').exec()`, to execute commands under the victim's account. The attack is zero-click, triggering as soon as a user opens the Marketplace tab (Settings → Marketplace → Downloaded → Plugins), without requiring the installation of any package. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Grav versions prior to 2.0.0-rc.2 **Description** The Twig sandbox allow-list permits any user with the `admin.pages` role to call the `config.toArray()` function from within a page body. This action dumps the entire merged site configuration into the rendered HTML, potentially exposing sensitive plugin secrets such as SMTP passwords, AWS keys, OAuth client secrets, and API tokens. This process does not require administrator privileges. **Recommendations** Update to version 2.0.0-rc.2.