CVE-2026-45375

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 0.0.0-20260421031503-96dfe0bea474

Description A stored cross-site scripting (XSS) issue exists in the Bazaar marketplace. The application fails to sanitize the name and version fields in package metadata files (such as plugin.json, theme.json, template.json, widget.json, and icon.json). These unsanitized fields are rendered directly into the Marketplace UI via the innerHTML property in the app/src/config/bazaar.ts file, specifically through variables like preferredName, name, and version.

In the desktop client, this is escalated to arbitrary OS command execution because the Electron renderer is configured with nodeIntegration: true, contextIsolation: false, and webSecurity: false. This allows an attacker to use Node.js APIs, such as require('child process').exec(), to execute commands under the victim's account. The attack is zero-click, triggering as soon as a user opens the Marketplace tab (Settings → Marketplace → Downloaded → Plugins), without requiring the installation of any package.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.