What is CVE-2026-56397?

CVE-2026-56397 is a critical-severity vulnerability in Siyuan, classified under Cross-site Scripting. CVSS score: 9.6/10. Published 2026-06-21.

How severe is CVE-2026-56397?

Critical severity. CVSS v3 base score is 9.6 out of 10.

XSS in Siyuan

CVE-2026-56397

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user brows…

Vulnerability class: XSS (Cross-Site Scripting)

CVSS v3 metric

CVSS v3 base score 9.6 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H.

Affected products

Siyuan — versions 0, 3.6.1

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

disclosure@vulncheck.com (vendor-advisory)
disclosure@vulncheck.com (third-party-advisory)

Frequently asked questions

What is CVE-2026-56397?: CVE-2026-56397 is a critical-severity vulnerability in Siyuan, classified under Cross-site Scripting. CVSS score: 9.6/10. Published 2026-06-21.
How severe is CVE-2026-56397?: Critical severity. CVSS v3 base score is 9.6 out of 10.