CVE-2026-56397 is a critical vulnerability in SiYuan before v3.6.1. The issue allows malicious package authors to inject arbitrary HTML and JavaScript into package metadata and README content in the Bazaar marketplace. This can lead to remote code execution on any user browsing the Bazaar by embedding XSS payloads in package displayName, description, or README fields. The vulnerability exploits Electron's [truncated]
CVE-2026-56395 is a critical vulnerability in SiYuan before v3.6.1. The issue allows malicious package authors to inject arbitrary HTML and JavaScript into package metadata and README content in the Bazaar marketplace. This enables attackers to achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package displayName, description, or README fields. The vulnerability ex [truncated]
