Product
A stored cross-site scripting (XSS) vulnerability exists in SiYuan due to the kernel storing Attribute View (AV) names without HTML escaping, allowing a malicious actor to inject arbitrary HTML which leads to Node.js code execution due to insecure Electron configuration, resulting in remote code execution (RCE).