CVE-2026-25647

Medium CVSS: 4.6

Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier (as used in SiYuan before) has a Stored Cross-Site Scripting (XSS) vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note. When another user clicks the rendered content, the script executes in the context of their session.

Vendor

B3log

Product

Siyuan

CWE

CWE-79

Yayın Tarihi

2026-02-06 19:16:09

Güncelleme

2026-02-24 20:59:10

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-79 Siyuan MEDIUM B3log 2026

Referanslar

https://github.com/88250/lute/commit/0118e218916cf0cc7df639b50ce74e0c6c3d1868 https://github.com/siyuan-note/siyuan/security/advisories/GHSA-rw25-98wq-76qv

Benzer Kayıtlar

High

CVE-2026-34585

SiYuan is a personal knowledge management system. Prior to version 3.6.2, a vulnerability allows crafted block attribute…

High

CVE-2026-34605

SiYuan is a personal knowledge management system. From version 3.6.0 to before version 3.6.2, the SanitizeSVG function i…

High

CVE-2026-34453

SiYuan is a personal knowledge management system. Prior to version 3.6.2, the publish service exposes bookmarked blocks…

Critical

CVE-2026-34448

SiYuan is a personal knowledge management system. Prior to version 3.6.2, an attacker who can place a malicious URL in a…

Critical

CVE-2026-34449

SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code Ex…

Critical

CVE-2026-33670

SiYuan is a personal knowledge management system. Prior to version 3.6.2, the /api/file/readDir interface was used to tr…