CVE-2026-56397 SiYuan CVE debrief

Who should care

Users of SiYuan before v3.6.1, particularly those who utilize the Bazaar marketplace, should be aware of this critical vulnerability. Developers and administrators must assess their exposure and take immediate action to protect against potential remote code execution attacks.

Technical summary

The vulnerability exists due to inadequate sanitization of package metadata and README content in the Bazaar marketplace of SiYuan before v3.6.1. Malicious authors can inject arbitrary HTML and JavaScript, leading to XSS attacks. When a user browses the Bazaar, the embedded XSS payloads in package displayName, description, or README fields can be executed due to Electron's nodeIntegration setting, resulting in remote code execution.

Defensive priority

High priority due to critical CVSS score of 9.4 and potential for remote code execution.

Recommended defensive actions

• Update SiYuan to version 3.6.1 or later
• Review and sanitize package metadata and README content in the Bazaar marketplace
• Limit user access to the Bazaar marketplace until patched
• Monitor for suspicious activity in the Bazaar marketplace
• Implement additional security measures to restrict execution of OS commands

Evidence notes

The CVE-2026-56397 details are based on information from official sources, including the NVD and CVE.org. The vulnerability affects SiYuan before v3.6.1 and involves the injection of arbitrary HTML and JavaScript into Bazaar package metadata and README content. Defenders should verify the vulnerability status of their SiYuan installations and review official advisories for further details.

Official resources