PT-2026-41017 · Siyuan · Siyuan

·

CVE-2026-44586

·

Published

2026-05-14

·

Updated

2026-05-14

CVSS v3.1

8.3

High

VectorAV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions SiYuan versions 2.1.12 through 3.6.x
Description The Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without proper escaping. In the desktop application, this leads to stored Cross-Site Scripting (XSS), a condition where malicious scripts are permanently stored on the server and served to users. Due to the Electron windows being configured with nodeIntegration: true and contextIsolation: false, an attacker can leverage a successful payload to call Node.js APIs and execute arbitrary code on the host system.
Recommendations Update to version 3.7.0.

Exploit

Fix

XSS

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44586
GHSA-X6WF-W2RG-2GW9

Affected Products

Siyuan