Executive Summary

CVE-2026-56395 is a critical vulnerability in SiYuan versions before 3.6.1 that allows remote code execution through improper sanitization of package metadata and README content in the Bazaar marketplace.

Malicious package authors can inject arbitrary HTML and JavaScript into fields such as displayName, description, or README. Because SiYuan uses Electron with nodeIntegration enabled and contextIsolation disabled, these injected scripts can execute operating system commands on the user's machine.

There are two main attack vectors: zero-click RCE via package metadata that executes when browsing the Bazaar, and one-click RCE via README files that executes when viewing a package's README.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows attackers to execute arbitrary code remotely by injecting malicious scripts into package metadata and README content, potentially leading to unauthorized access to sensitive data such as API tokens, session cookies, and SSH keys.

Such unauthorized access and potential data breaches could result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring system security.

Therefore, exploitation of this vulnerability could compromise the confidentiality and integrity of sensitive data, leading to violations of these common standards and regulations.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including full remote code execution on any user browsing the Bazaar marketplace in SiYuan.

• Attackers can steal sensitive data such as API tokens, session cookies, and SSH keys.
• They can execute arbitrary commands on the victim's operating system.
• Attackers may install backdoors or deploy ransomware, compromising system integrity and availability.

All SiYuan desktop users who browse the Bazaar are at risk without applying the patch or mitigations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves malicious HTML and JavaScript injection in package metadata and README content within the SiYuan Bazaar marketplace. Detection involves identifying packages with suspicious or unexpected HTML/JavaScript code in fields such as displayName, description, or README.

Since the vulnerability exploits Electron's nodeIntegration via XSS, monitoring network traffic for unusual requests or responses containing script tags or suspicious payloads in the Bazaar marketplace data may help.

Specific commands are not provided in the resources, but general approaches include:

• Inspect downloaded or cached package metadata files for embedded script tags or suspicious HTML using grep or similar tools.
• Use commands like `grep -r '<script' /path/to/siyuan/bazaar/packages` to search for script tags in package metadata or README files.
• Monitor Electron application logs or console output for errors or suspicious activity triggered by malicious payloads.
• Use network monitoring tools (e.g., Wireshark or tcpdump) to capture Bazaar marketplace traffic and filter for suspicious payloads.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade SiYuan to version 3.6.1 or later, where the issue has been patched.

Additional mitigation steps include:

• Avoid browsing the Bazaar marketplace in vulnerable versions to prevent triggering the remote code execution.
• Apply patches that properly escape all user-controlled metadata in template rendering.
• Enable sanitization for README rendering by calling SetSanitize(true) in the Markdown parser.
• Harden the Electron configuration by disabling nodeIntegration, enabling contextIsolation, and enabling sandboxing to reduce the risk of OS command execution.

Useful 0 Not Useful 0