NVD disclosure day

Published threat advisories for June 21, 2026

CVE advisoryCRITICAL

CVE-2026-56397

SiYuan Bazaar Marketplace XSS Leads to Remote Code Execution.

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

A vulnerability in SiYuan's Bazaar marketplace allows attackers to inject malicious HTML and JavaScript into package details. This can lead to remote code execution on user systems when the marketplace is browsed, potentially enabling attackers to run OS commands. The risk is to users who interact with the application'

CVE advisoryCRITICAL

CVE-2026-56395

SiYuan Bazaar Package Metadata Vulnerability Allows Remote Code Execution.

Halo Surface Signal: 3 out of 5 — possibly public-facing.

SiYuan's Bazaar marketplace has a flaw that allows malicious actors to inject arbitrary HTML and JavaScript through package metadata and README files. This could lead to remote code execution on user systems when they browse compromised packages in the marketplace.