Vendor
A stored Cross-Site Scripting (XSS) vulnerability, CVE-2026-54070, affects SiYuan versions up to 3.6.5, allowing a malicious third-party package author to embed JavaScript in package READMEs via an incomplete HTML sanitizer's blocklist, which executes in an Administrator's authenticated browser session upon viewing and interacting with the crafted README in the Bazaar marketplace, leading to API token theft and potential full workspace control.