Description
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, Lute's HTML sanitizer does not remove <iframe> elements. Combined with the SiYuan Electron client's permissive security configuration, an attacker can include a malicious <iframe> in a Bazaar package README that executes arbitrary commands on the victim's machine when the package details are viewed. No package installation is required. This vulnerability is fixed in 3.7.0.
Published: 2026-06-24
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SiYuan’s Lute HTML sanitizer fails to strip <iframe> elements before version 3.7.0. When a malicious Bazaar package README is displayed in the Electron client, the embedded <iframe> triggers execution of arbitrary commands on the host machine. The weakness is an injection flaw classified as CWE‑79, which directly compromises confidentiality, integrity, and availability of the affected system.

Affected Systems

The affected product is Siyuan by siyuan-note. Any deployment of the Siyuan client running a version earlier than 3.7.0 is vulnerable. The Electron-based desktop application is the primary entry point, as it renders the README with a permissive security configuration.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. No EPSS score is publicly available, and the vulnerability is not listed in the CISA KEV catalog. An attacker can introduce a malicious README into a Bazaar package distributed to a user; the README is rendered automatically when the package details are viewed, so no explicit installation of the package is required. The attack vector is likely local or social‑engineering based, relying on user interaction to open the README. Timely remediation is essential to prevent exploitation.

Generated by OpenCVE AI on June 24, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SiYuan to version 3.7.0 or later, where the Lute sanitizer blocks <iframe> tags.
  • If an upgrade cannot be performed immediately, avoid opening Bazaar package readmes from untrusted or unknown sources until a patch is applied.
  • Configure the Electron client to restrict external content loading, such as disabling node integration or applying a stricter web‑view security policy, to mitigate the execution of malicious code via iframes.

Generated by OpenCVE AI on June 24, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, Lute's HTML sanitizer does not remove <iframe> elements. Combined with the SiYuan Electron client's permissive security configuration, an attacker can include a malicious <iframe> in a Bazaar package README that executes arbitrary commands on the victim's machine when the package details are viewed. No package installation is required. This vulnerability is fixed in 3.7.0.
Title SiYuan: Lute HTML sanitizer allows `<iframe>` tags in Bazaar package README, leading to arbitrary command execution via SiYuan Electron client
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T21:21:57.842Z

Reserved: 2026-06-15T23:12:41.966Z

Link: CVE-2026-54759

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T22:30:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')