CVE-2026-45375

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar (community marketplace) renders the name and version fields of a package's plugin.json (and the equivalent theme.json / template.json / widget.json / icon.json) into the Settings → Marketplace UI without HTML escaping. The kernel-side helper sanitizePackageDisplayStrings in kernel/bazaar/package.go HTML-escapes only Author, DisplayName, and Description — Name and Version flow through to the renderer raw. The frontend at app/src/config/bazaar.ts substitutes them into HTML template strings via ${item.preferredName} / ${data.name} / v${data.version} and assigns the result to innerHTML. As a consequence, malicious HTML in either field is parsed and executed when a user opens the marketplace tab. This vulnerability is fixed in 3.7.0.

CVSS v3 9.0 CRITICAL

9.0^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-27qc-m5gf-jv5r
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-27qc-m5gf-jv5r

Configurations

No configuration.

History

16 May 2026, 01:16

Type	Values Removed	Values Added
References	~~() https://github.com/siyuan-note/siyuan/security/advisories/GHSA-27qc-m5gf-jv5r -~~	() https://github.com/siyuan-note/siyuan/security/advisories/GHSA-27qc-m5gf-jv5r -

14 May 2026, 19:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-14 19:16

Updated : 2026-05-16 01:16

NVD link : CVE-2026-45375

Mitre link : CVE-2026-45375

CVE.ORG link : CVE-2026-45375

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-116

Improper Encoding or Escaping of Output

9.0 /10