Description
Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier (as used in SiYuan before) has a Stored Cross-Site Scripting (XSS) vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note. When another user clicks the rendered content, the script executes in the context of their session.
Published: 2026-02-06
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

Lute, the Markdown engine used by SiYuan, contains a stored XSS flaw in versions 1.7.6 and earlier. An attacker can embed malicious JavaScript inside a Markdown note; when another user clicks the rendered content, the script runs in the victim’s browser session. The weakness arises from improper sanitization of hyperlink targets, classified as CWE‑79.

Affected Systems

Affected systems include SiYuan note version 3.5.4 and any earlier builds that embed Lute 1.7.6. Any deployment that uses the vulnerable engine is susceptible, regardless of the operating system environment.

Risk and Exploitability

The CVSS score of 4.6 indicates moderate impact, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to create or modify a note containing the malicious hyperlink, implying a collaborative or shared documentation scenario is needed.

Generated by OpenCVE AI on April 18, 2026 at 13:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest SiYuan release, which replaces the vulnerable Lute engine with a patched version.
  • If an upgrade is not immediately possible, disable or remove Markdown hyperlink support in notes until the patch is applied.
  • For shared documents, use client‑side sanitization to strip or escape <a> tags before rendering.

Generated by OpenCVE AI on April 18, 2026 at 13:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared B3log
B3log siyuan
CPEs cpe:2.3:a:b3log:siyuan:3.5.4:-:*:*:*:*:*:*
Vendors & Products B3log
B3log siyuan

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Siyuan
Siyuan siyuan
Vendors & Products Siyuan
Siyuan siyuan

Fri, 06 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Description Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier (as used in SiYuan before) has a Stored Cross-Site Scripting (XSS) vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note. When another user clicks the rendered content, the script executes in the context of their session.
Title Lute has a Stored Cross-Site Scripting (XSS) via Markdown hyperlink
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

B3log Siyuan
Siyuan Siyuan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-09T15:28:33.222Z

Reserved: 2026-02-04T05:15:41.792Z

Link: CVE-2026-25647

cve-icon Vulnrichment

Updated: 2026-02-09T15:19:31.321Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T19:16:09.593

Modified: 2026-02-24T20:59:10.180

Link: CVE-2026-25647

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:45:45Z

Weaknesses