—

GO-2026-5001

SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution in github.com/siyuan-note/siyuan/kernel

Details

SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution in github.com/siyuan-note/siyuan/kernel

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/siyuan-note/siyuan/kernel

Introduced in: 0

No fixed version published yet for github.com/siyuan-note/siyuan/kernel (go modules). Pin to a known-safe version or switch to an alternative.

References

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-27qc-m5gf-jv5r [ADVISORY]
https://nvd.nist.gov/vuln/detail/CVE-2026-45375 [ADVISORY]