CVE-2026-56397

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.1

Description SiYuan fails to sanitize package metadata and README content within the Bazaar marketplace. This allows malicious authors to inject arbitrary HTML and JavaScript through the displayName, description, or README fields. Because the application is built on Electron with nodeIntegration enabled—a setting that allows JavaScript to access Node.js APIs—the injected scripts can escape the browser context to execute operating system commands, resulting in remote code execution on the device of any user browsing the marketplace.

Recommendations Update to version 3.6.1.