SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution

Critical severity GitHub Reviewed Published May 10, 2026 in siyuan-note/siyuan • Updated May 15, 2026

No open alerts for this advisory

Give feedback on Dependabot alerts