A critical vulnerability in the SiYuan Bazaar marketplace allows unauthenticated attackers to achieve remote code execution on user systems by injecting malicious payloads into package metadata.

This is a cross-site scripting (XSS) vulnerability residing in the package metadata processing logic. By embedding malicious payloads in package fields, an attacker can leverage Electron's nodeIntegration settings to escape the sandbox and execute arbitrary OS commands.

With a CVSS score of 9.6, this vulnerability poses a severe risk to organizational security. Successful exploitation grants an attacker full control over the victim's local machine, potentially leading to data exfiltration, lateral movement within the network, and complete system compromise.

Immediate Action: Upgrade all SiYuan installations to version 3.6.1 or later immediately to apply the required input sanitization patches.

Proactive Monitoring: Review application logs for unusual package metadata submissions or unexpected outbound network connections originating from the SiYuan application process.

Compensating Controls: If immediate patching is not possible, restrict network access to the Bazaar marketplace or implement strict egress filtering to prevent unauthorized command-and-control communication.

Public Exploit Available: False

Given the ability to achieve remote code execution, this vulnerability represents a critical security risk. Organizations should prioritize the update to version 3.6.1 across all endpoints to eliminate the risk of arbitrary code execution via the Bazaar marketplace.