ByteOS Network

NVD Vulnerability Details :

CVE-2026-44586

Deferred

Source-security-advisories@github.com

Published At-14 May, 2026 | 19:16

Updated At-14 May, 2026 | 21:22

SiYuan is an open-source personal knowledge management system. From 2.1.12 to before 3.7.0. SiYuan's Bazaar marketplace renders package author metadata from the public bazaar stage feed into HTML without escaping. In the desktop app this becomes stored XSS, and because SiYuan's Electron windows are created with nodeIntegration: true and contextIsolation: false, a successful payload can call Node.js APIs and execute code on the host. This vulnerability is fixed in 3.7.0.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	8.3	HIGH	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Type: Secondary

Version: 3.1

Base score: 8.3

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Weaknesses

CWE ID	Type	Source
CWE-79	Secondary	security-advisories@github.com
CWE-94	Secondary	security-advisories@github.com

CWE ID: CWE-79

Type: Secondary

Source: security-advisories@github.com

CWE ID: CWE-94

Type: Secondary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-x6wf-w2rg-2gw9	security-advisories@github.com	N/A
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-x6wf-w2rg-2gw9	134c704f-9b21-4f2e-91b3-4a467353bcc0	N/A

Hyperlink: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-x6wf-w2rg-2gw9

Source: security-advisories@github.com

Resource: N/A

Hyperlink: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-x6wf-w2rg-2gw9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Resource: N/A

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History