Takeover flaw in the SiYuan note app (CVE-2026-56395): update to 3.6.1

A critical flaw that lets attackers take over your computer simply by opening the in-app "marketplace" has been found in "SiYuan," a popular open-source note-taking app used to organize notes and knowledge. There are two issues, CVE-2026-56395 and CVE-2026-56397, both rated CVSS 9.6 (out of 10.0). The U.S. vulnerability database NVD registered them on June 22 (Japan time). A fixed version, 3.6.1, is already available; if you use an earlier version, you need to update urgently.

The problem is in a feature bundled with SiYuan called the "Bazaar." It is an in-app marketplace where anyone can publish and distribute themes (looks) and plugins (added features). An attacker can plant a malicious program (script) — invisible to the eye — in the description text or the introduction page (README) of a package they register in this marketplace. When a user opens the marketplace and looks at the listing, or opens an introduction page, the planted program starts running on the user's own computer.

Normally, a malicious program slipped into a web page (called "cross-site scripting," or XSS for short) can only act within the limited confines of the browser. But SiYuan's desktop app is built on a mechanism called "Electron," and due to its configuration, a program slipped into the screen was in a state where it could issue commands to the computer's OS itself. In other words, this is not just broken display: it leads straight to "takeover," from stealing files to installing apps without permission.

What SiYuan Does

SiYuan is a "personal knowledge management app" that lets you pile up writing, notes, research, and ideas in one place and organize them while linking them together. It is a kind of note-taking app, used much like Obsidian or Notion. Its hallmark is being "local-first," keeping your data on your own machine, which has won it support among privacy-conscious users. It is developed as open source, with more than 44,000 GitHub stars. Alongside desktop versions (Windows, macOS, Linux) it has a mobile version, and it supports Japanese.

SiYuan's desktop version is built on "Electron," a foundation that builds desktop app screens using web-page technology. Because Electron lets you build a desktop app the same way you build the web, many apps use it these days. The flip side is that a misconfiguration can create the danger that "the contents of a web page can operate the computer." This flaw is exactly that danger made real.

And the Bazaar, the entry point this time, is a mechanism that lets users find and install, from within the app, themes that change the look, plugins that add features, and templates for standard pages. Convenient as it is, because anyone in the world can publish a package they made, a malicious actor can also plant a trap disguised as a "handy-looking plugin." The frightening part is that an utterly ordinary action — browsing a note app's marketplace — becomes the trigger for an attack.

What a Trap Disguised as a "Handy Plugin" Walks Off With From the Note Owner

The number CVSS 9.6 alone does not convey what will happen to you. So let's first picture concretely who places a trap in SiYuan's marketplace and why, and what vanishes from the hands of someone who falls for it. A note app is the place closest to a person's own head — where stray thoughts, things you looked up, work plans, and even drafts you'd never show anyone all gather. The reality of this flaw is that someone else takes hold of the very computer running all that.

Those who set the trap need not be elite hackers in a far-off country. The realistic actors are habitual pranksters who scatter malware disguised as free, handy tools; money-driven groups that profit through crypto theft and ransomware (extortion-ware); and someone close by who wants to peek at a particular person's private notes. All they do is make a "theme or plugin likely to become popular," publish it on the Bazaar, and hide a malicious program in its description or introduction page. What they target is not abstract "data" but vivid, concrete goods: the passwords and login details jotted in your notes, work secrets and drafts, the keys for connecting to servers stored on your PC (SSH keys), crypto wallets, and the various credentials left in your browser. The moment the user opens that package in the marketplace, the planted program runs on the PC, and these are quietly carried off.

In the language of cyberattacks, this is a kind of "supply chain attack" (slipping poison into distributables that users trust and install). Because the very trust that "it's listed in the app's official marketplace" is turned into the attack, victims are hit even with no fault of their own. And this time, because the malicious program can issue commands not just inside the screen but to the PC's OS, the attacker can, in a single intrusion, go from siphoning files to installing a back door to stay resident — and it works on Windows, Mac, and Linux alike. Once they've settled in, simply deleting the app won't undo it.

CVSS 9.6 is only a gauge of technical severity. For someone who entrusts their daily thinking to SiYuan, the real pain is not that the app glitches for a while, but that years' worth of accumulated notes, and the passwords and keys mixed in among them, pass wholesale into someone else's hands while the computer itself stays under watch. A private tool for writing things down with peace of mind can become the very hole through which your life and work are spied on.

CVE-2026-56395 / 56397: The Marketplace's Display Text Was Not Sanitized

NVD registered two CVEs around the Bazaar this time. The cause of both is the same: when displaying a package's information on screen, the "sanitization" step that strips out malicious programs was missing. Behind the scenes in SiYuan, the process that builds a package's introduction page ran without enabling sanitization (specifically, it called lute.New() without SetSanitize(true)), and it then poured the received content straight into the screen (assignment to innerHTML). The report and verification are published in the developer's GitHub security advisory (GHSA-v3mg-9v85-fcm7). The two issues differ by where they fire, as follows.

CVE-2026-56395: Stored XSS via display name / description (CVSS 9.6, effectively zero-click)

The first is the issue where a malicious program planted in a package's "display name (displayName)" or "description" was used in building the screen without being sanitized. Because these are the basic information lined up in the marketplace listing, they can fire just from a user opening the Bazaar and looking at the package list. It is an effectively zero-click path that does not even require opening an introduction page. A published example of an attacker's package definition slips a contrivance like <img src=x onerror="..."> into the display name.

CVE-2026-56397: Stored XSS via introduction page (README) (CVSS 9.6, one-click)

The second is the issue where the contents of a package's introduction page (README) were displayed on screen without being sanitized. A README is meant to be explanatory text written in Markdown, but even if you mix raw HTML or scripts into it, they are not stripped and run as-is. This is a one-click path that fires the moment a user opens a package that caught their eye and views its introduction page. Both are the "stored" type, where the attack code is saved in the package information on the server side and affects everyone who opens it, so the damage spreads widely.

Why a "Note App" Leads All the Way to Takeover

Why does a malicious program slipped into the screen leap all the way to taking over the computer? The key is the Electron settings that SiYuan's desktop version is built on. In Electron, you decide via settings how far the app's screen (a web page) can touch the computer's functions. In these settings, SiYuan enabled nodeIntegration (true), which lets the screen call the computer's basic functions directly, and disabled contextIsolation (false), which separates the screen from the computer side.

With this combination, a program slipped into the screen can reach past the browser frame straight to the computer's command-execution functions (such as child_process). The published proof-of-concept code runs an arbitrary command on the user's computer with a single line, require('child_process').exec(...). It was demonstrated with the easy-to-grasp example of launching the calculator app on Windows without permission, but the same mechanism can send files or download other malware. In short, a small display hole (XSS) leaps in one step, by way of the Electron settings, to a full takeover of the computer (RCE) — that is the heart of this issue.

This "loose Electron settings turn XSS straight into takeover" pattern is not unique to SiYuan; it is a weakness common to many apps that build desktop software with web technology. On this site we continually cover cases where a display hole turns into major damage, such as TinyMCE's stored XSS, where a small hole in the editor screen led straight to seizing administrator privileges, and the DOM-based XSS in the AI agent AutoGPT.

Is Your SiYuan Affected? (Quick Reference by Version)

First, use the table below to check the version of SiYuan you are using. The fix landed in 3.6.1. You can check the version from the app's settings screen (e.g. "Settings" → "About").

The desktop (Electron) version in particular should be updated with top priority, since a display hole leaps straight to a takeover of the computer. The app often notifies you of updates at launch, but if you haven't updated in a while, take this chance to check for the latest version manually.

What to Do Right Now

1. Update SiYuan to 3.6.1 or later. This is the top-priority and surest fix. Get the latest version from the official releases page and update the desktop, mobile, and server versions alike. Until the update is done, temporarily block the entry point with the next item.

2. Don't open the Bazaar (marketplace) until you've updated. This attack fires the moment you open the marketplace listing or an introduction page. While you are on an old version, avoiding the Bazaar's theme/plugin/template screens keeps the trigger at bay for now. Put off installing new packages until after updating.

3. Change your credentials if anything rings a bell. If you recall opening a suspicious package before updating, or saw unfamiliar behavior (a window launching on its own), change the passwords written in your notes and the login details for email and cloud services, and regenerate the keys for connecting to servers (SSH keys) stored on your PC.

4. Inspect your PC for suspicious traces. Check for resident programs you don't recognize, auto-launch (startup) settings, and suspicious outbound traffic. Attackers sometimes plant a back door to stay resident, so if you are worried, run a scan with antivirus software.

5. Reconsider packages of unclear origin. As future prevention, make it a habit not to casually install themes or plugins whose author or reputation you can't confirm. Keeping in mind that "being listed in the marketplace is not a guarantee of safety" is the best defense against the same kind of attack.

Exploited-CVE Status and Related Articles

As of June 2026, CVE-2026-56395 and CVE-2026-56397 are not listed in the U.S. CISA "Known Exploited Vulnerabilities (KEV)" catalog of flaws actually being attacked. That said, example attack code is already public, and because the entry point is a marketplace users open routinely, the prospect of exploitation is not low. We keep the latest status of actively exploited CVEs updated on our CISA KEV dashboard (Japanese).

The trick of slipping poison into "distributables" that users trust and install, like SiYuan's Bazaar, recurs across app extensions and libraries in general. You can check whether the open-source components you use have known holes with the OSS Supply Chain Scanner. Around SiYuan's Bazaar, a similar flaw in introduction-page rendering was reported even before these two, so the same spot's implementation has repeatedly been a problem. Cases where a failure to sanitize display leads straight to takeover, such as a flaw in a sanitization library itself, are something we cover continually on this site.

Summary

CVE-2026-56395 and CVE-2026-56397 are flaws in "Bazaar," the marketplace feature of the popular note app SiYuan, where a malicious program planted in a package's display name, description, or introduction page is shown on screen without being sanitized. It fires just from a user opening the marketplace (no click even needed for the description path), and because SiYuan's Electron settings were loose, a small display hole leaps all the way to a takeover of the computer itself. Both are rated CVSS 9.6, and a fixed version, 3.6.1, is already available.

The real danger of this hole is that the entry point is the casual act of "browsing the marketplace," and that the damage reaches from the contents of your notes to the entire computer. If you use SiYuan, first update to 3.6.1 or later with top priority, and don't open the Bazaar until the update is done. Together with that, a habit of not casually installing packages whose author or reputation you can't tell will protect your notes and your PC from the next attack of the same kind.

References

• ▸ NVD - CVE-2026-56395
• ▸ NVD - CVE-2026-56397
• ▸ SiYuan Security Advisory - Stored XSS to RCE via Unsanitized Bazaar (GHSA-v3mg-9v85-fcm7)
• ▸ SiYuan Security Advisory - Bazaar README Rendering XSS (GHSA-4663-4mpg-879v)
• ▸ siyuan-note/siyuan - Releases (3.6.1)
• ▸ SiYuan Official Repository (GitHub)
• ▸ CISA - Known Exploited Vulnerabilities Catalog