Description
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, Lute's HTML sanitizer does not remove <iframe> elements. Combined with the SiYuan Electron client's permissive security configuration, an attacker can include a malicious <iframe> in a Bazaar package README that executes arbitrary commands on the victim's machine when the package details are viewed. No package installation is required. This vulnerability is fixed in 3.7.0.
Published: 2026-06-24
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SiYuan’s Lute HTML sanitizer fails to strip < 3.7.0. When a malicious Bazaar package README is displayed in the Electron client, the embedded <iframe> triggers execution of arbitrary commands on the host machine. The weakness is an injection flaw classified as CWE‑79, which directly compromises confidentiality, integrity, and availability of the affected system.

Affected Systems

The affected product is Siyuan by siyuan-note. Any deployment of the Siyuan client running a version earlier than 3.7.0 is vulnerable. The Electron-based desktop application is the primary entry point, as it renders the README with a permissive security configuration.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. No EPSS score is publicly available, and the vulnerability is not listed in the CISA KEV catalog. An attacker can introduce a malicious README into a Bazaar package distributed to a user; the README is rendered automatically when the package details are viewed, so no explicit installation of the package is required. The attack vector is likely local or social‑engineering based, relying on user interaction to open the README. Timely remediation is essential to prevent exploitation.

Generated by OpenCVE AI on June 25, 2026 at 00:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SiYuan to version 3.7.0 or later, where the Lute sanitizer blocks <iframe> tags.
  • , avoid opening Bazaar package readmes from untrusted or unknown sources until a patch is applied.
  • Configure the Electron client to restrict external content loading, such as disabling node integration or applying a stricter web‑view security policy, to mitigate the execution of malicious code via iframes.

Generated by OpenCVE AI on June 25, 2026 at 00:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Siyuan
Siyuan siyuan
Vendors & Products Siyuan
Siyuan siyuan
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, Lute's HTML sanitizer does not remove <iframe> elements. Combined with the SiYuan Electron client's permissive security configuration, an attacker can include a malicious <iframe> in a Bazaar package README that executes arbitrary commands on the victim's machine when the package details are viewed. No package installation is required. This vulnerability is fixed in 3.7.0.
Title SiYuan: Lute HTML sanitizer allows `<iframe>` tags in Bazaar package README, leading to arbitrary command execution via SiYuan Electron client
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T12:32:38.000Z

Reserved: 2026-06-15T23:12:41.966Z

Link: CVE-2026-54759

cve-icon Vulnrichment

Updated: 2026-06-25T12:32:25.218Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T13:15:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')