CVE-2026-40922

Name of the Vulnerable Software and Affected Versions SiYuan versions 3.6.1 through 3.6.3

Description An issue exists in the bazaar README rendering where the Lute HTML sanitizer fails to block iframe tags and does not effectively filter srcdoc attributes containing raw HTML. A malicious bazaar package author can include an iframe with a srcdoc attribute containing embedded scripts in their README. When users view the package in the marketplace UI, the payload executes in the Electron context with full application privileges, allowing arbitrary code execution on the user's machine.

Recommendations Update to version 3.6.4.