2 vulnerabilities across 1 product scored HIGH or above on June 21, 2026.
- ๐ HIGH: 2
๐ [HIGH] siyuan/siyuan
2 CVEs | CVSS 4.0: 9.4 | AAS 10.2
cpe:2.3:a:siyuan:siyuan:*:*:*:*:*:*:*:*(< 3.6.1)
SiYuan note-taking application versions prior to 3.6.1 are affected by 2 vulnerabilities, including multiple issues related to insufficient sanitization of package metadata and README content in the Bazaar marketplace. The most severe, rated CVSS 9.4 HIGH, allows malicious package authors to inject arbitrary HTML and JavaScript through crafted package fields such as displayName, description, or README content. Because SiYuan runs on Electron with nodeIntegration enabled, successful exploitation escalates from cross-site scripting to full remote code execution, enabling attackers to run arbitrary OS commands on any user who simply browses the marketplace. Organizations and individuals using SiYuan should upgrade to version 3.6.1 or later immediately and review the vendor advisory at the linked GitHub security page for additional details.
- ๐ CVE-2026-56397 (CVSS 4.0: 9.4)
- ๐ CVE-2026-56395 (CVSS 4.0: 9.4)