Product
A critical stored cross-site scripting (XSS) vulnerability in SiYuan (CVE-2026-54067) allows an attacker with workspace write access to execute arbitrary JavaScript, which can escalate to remote code execution (RCE) on Electron desktop builds due to `nodeIntegration:true` settings, by injecting a malicious CSS snippet that bypasses security controls and executes automatically upon application boot.