CVE-2026-45375 - Vulnerability Analysis
CriticalCVSS: 9.0Last Updated: May 14, 2026
SiYuan - Stored XSS
Published: May 14, 2026Updated: May 14, 2026Remote Exploitable
Overview
SiYuan < 3.7.0 contains a stored XSS caused by lack of HTML escaping in the name and version fields of plugin.json and similar files in the Bazaar marketplace, letting attackers execute arbitrary scripts when users open the marketplace tab, exploit requires user to open the marketplace UI.
Severity & Score
Severity: Critical
CVSS Score: 9.0
Impact
Attackers can execute arbitrary scripts in users' browsers, potentially stealing data or performing actions on behalf of the user.
Mitigation
Update to version 3.7.0 or later.
Related Resources
Details
- CVE ID
- CVE-2026-45375
- Severity
- Critical
- CVSS Score
- 9.0
- Type
- stored_xss
- Status
- rejected
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H