CVE-2026-56395 SiYuan CVE debrief

Who should care

Users of SiYuan before v3.6.1, particularly those who utilize the Bazaar marketplace, should prioritize updating to the latest version to mitigate the risk of remote code execution. Developers and administrators who manage SiYuan installations are also advised to take immediate action.

Technical summary

The vulnerability, CVE-2026-56395, is caused by inadequate sanitization of package metadata and README content in the Bazaar marketplace of SiYuan before v3.6.1. Malicious package authors can inject arbitrary HTML and JavaScript, leading to remote code execution when users view the Bazaar. The attack leverages Electron's nodeIntegration setting to execute OS commands. The CVSS score is 9.4, indicating a critical severity.

Defensive priority

Immediate patching recommended due to critical severity and potential for remote code execution

Recommended defensive actions

• Update SiYuan to version 3.6.1 or later
• Review and sanitize package metadata and README content in the Bazaar marketplace
• Limit user access to the Bazaar marketplace until patched
• Monitor for suspicious activity in SiYuan installations
• Implement additional security measures to restrict execution of OS commands

Evidence notes

The primary evidence for this vulnerability comes from the CVE record and NVD detail. The CVE-2026-56395 record indicates that SiYuan before v3.6.1 is affected. The NVD detail provides additional information on the vulnerability's CVSS vector and weaknesses. Defenders should verify the affected product and version from official sources.

Official resources