A critical XSS vulnerability in the SiYuan Marketplace allows attackers to execute arbitrary code in the context of a user's browser.

The application fails to properly escape package metadata (name/version) fields, allowing malicious HTML/JS to be rendered and executed when a user views the Marketplace UI.

Successful exploitation allows an attacker to perform actions on behalf of the victim, potentially stealing session tokens or sensitive knowledge management data. With a CVSS score of 9.0, this is a significant threat to user-level security within the SiYuan environment.

Immediate Action: Upgrade SiYuan to version 3.7.0 or later to ensure proper sanitization of marketplace content.

Proactive Monitoring: Review application logs for unusual client-side errors or unexpected script execution patterns within the browser.

Compensating Controls: Use a modern browser with robust CSP (Content Security Policy) headers to restrict the execution of unauthorized scripts.

Public Exploit Available: No

Organizations should update their SiYuan installations immediately. Protecting users from malicious marketplace content is essential to maintaining the security of the personal knowledge management system.