CVE-2026-45375
CriticalSummary
SiYuan is a knowledge management system that prior to version 3.7.0 did not properly HTML escape names and versions in plugin.json files. As a result, malicious HTML could be executed in the user interface when a user opened the marketplace tab.
Risk Assessment
The organization may be exposed to XSS attacks, potentially leading to user data theft or session hijacking. Exploitation of this vulnerability could threaten the integrity of the system and the security of data.
Recommendation
It is recommended to update SiYuan to version 3.7.0 or later to eliminate this vulnerability. Additionally, conducting a security audit of the application to identify other potential threats is advisable.
Original NVD description (English source)
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar (community marketplace) renders the name and version fields of a package's plugin.json (and the equivalent theme.json / template.json / widget.json / icon.json) into the Settings → Marketplace UI without HTML escaping. The kernel-side helper sanitizePackageDisplayStrings in kernel/bazaar/package.go HTML-escapes only Author, DisplayName, and Description — Name and Version flow through to the renderer raw. The frontend at app/src/config/bazaar.ts substitutes them into HTML template strings via ${item.preferredName} / ${data.name} / v${data.version} and assigns the result to innerHTML. As a consequence, malicious HTML in either field is parsed and executed when a user opens the marketplace tab. This vulnerability is fixed in 3.7.0.

