CVE-2026-55570

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, it does not escape the untrusted fields (name, version, author, description) when they are serialized into the data-obj HTML attribute of each marketplace card. Because the attribute is single-quoted and the value is produced with JSON.stringify() (which does not escape ', <, or >), a package whose name contains a single quote breaks out of the attribute and injects arbitrary HTML. In the desktop client the main BrowserWindow runs with nodeIntegration: true, contextIsolation: false, so the injected markup escalates from DOM XSS to arbitrary OS command execution. This is the same root cause and same impact as the original advisory, reached through a sibling sink the patch did not cover. This vulnerability is fixed in 3.7.0.
Configurations

No configuration.

History

25 Jun 2026, 15:16

Type Values Removed Values Added
References () https://github.com/siyuan-note/siyuan/security/advisories/GHSA-x88j-wgpr-h22x - () https://github.com/siyuan-note/siyuan/security/advisories/GHSA-x88j-wgpr-h22x -

24 Jun 2026, 22:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-24 22:16

Updated : 2026-06-25 15:16


NVD link : CVE-2026-55570

Mitre link : CVE-2026-55570

CVE.ORG link : CVE-2026-55570


JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-116

Improper Encoding or Escaping of Output