Critical RCE Vulnerability in SiYuan Bazaar Exposes Users to Malicious Packages

SiYuan disclosed CVE-2026-56395, a critical remote code execution vulnerability affecting versions before 3.6.1. The flaw arises from improper sanitization of Bazaar marketplace package metadata, allowing malicious authors to inject HTML and JavaScript. This can lead to cross-site scripting and, due to Electron's nodeIntegration, execution of OS commands on victim devices. The vulnerability has a CVSS score of 9.6 (v3.1) and 9.4 (v4.0). Users are advised to upgrade to SiYuan version 3.6.1 or later and avoid untrusted packages. CVE-2026-56397 was also published with similar details, indicating a broader issue within the Bazaar marketplace.

Key Points: • CVE-2026-56395 and CVE-2026-56397 expose SiYuan users to remote code execution risks. • Attackers can exploit the flaw through malicious package metadata in the Bazaar marketplace. • Users must upgrade to SiYuan version 3.6.1 or later to mitigate the vulnerability.