Github.com/Siyuan-Note/Siyuan/Kernel (<= 0.0.0-20260421031503-96dfe0bea474)

SiYuan's Bazaar marketplace is vulnerable to stored cross-site scripting (XSS) via unescaped package metadata, leading to arbitrary OS command execution in the desktop Electron client.