{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25647", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-04T05:15:41.792Z", "datePublished": "2026-02-06T19:03:36.847Z", "dateUpdated": "2026-02-09T15:28:33.222Z"}, "containers": {"cna": {"title": "Lute has a Stored Cross-Site Scripting (XSS) via Markdown hyperlink", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-rw25-98wq-76qv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-rw25-98wq-76qv"}, {"name": "https://github.com/88250/lute/commit/0118e218916cf0cc7df639b50ce74e0c6c3d1868", "tags": ["x_refsource_MISC"], "url": "https://github.com/88250/lute/commit/0118e218916cf0cc7df639b50ce74e0c6c3d1868"}], "affected": [{"vendor": "siyuan-note", "product": "siyuan", "versions": [{"version": "< 3.5.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T19:03:36.847Z"}, "descriptions": [{"lang": "en", "value": "Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier (as used in SiYuan before) has a Stored Cross-Site Scripting (XSS) vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note. When another user clicks the rendered content, the script executes in the context of their session."}], "source": {"advisory": "GHSA-rw25-98wq-76qv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-09T15:19:30.532188Z", "id": "CVE-2026-25647", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:28:33.222Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25647", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-09T15:19:30.532188Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:19:31.321Z"}}], "cna": {"title": "Lute has a Stored Cross-Site Scripting (XSS) via Markdown hyperlink", "source": {"advisory": "GHSA-rw25-98wq-76qv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "siyuan-note", "product": "siyuan", "versions": [{"status": "affected", "version": "< 3.5.5"}]}], "references": [{"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-rw25-98wq-76qv", "name": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-rw25-98wq-76qv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/88250/lute/commit/0118e218916cf0cc7df639b50ce74e0c6c3d1868", "name": "https://github.com/88250/lute/commit/0118e218916cf0cc7df639b50ce74e0c6c3d1868", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier (as used in SiYuan before) has a Stored Cross-Site Scripting (XSS) vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note. When another user clicks the rendered content, the script executes in the context of their session."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T19:03:36.847Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25647", "state": "PUBLISHED", "dateUpdated": "2026-02-09T15:28:33.222Z", "dateReserved": "2026-02-04T05:15:41.792Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-06T19:03:36.847Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:b3log:siyuan:3.5.4:-:*:*:*:*:*:*", "matchCriteriaId": "A3E5172C-68F8-4D7D-98C1-07ED441F4F91", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier (as used in SiYuan before) has a Stored Cross-Site Scripting (XSS) vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note. When another user clicks the rendered content, the script executes in the context of their session."}], "id": "CVE-2026-25647", "lastModified": "2026-02-24T20:59:10.180", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-06T19:16:09.593", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/88250/lute/commit/0118e218916cf0cc7df639b50ce74e0c6c3d1868"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-rw25-98wq-76qv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T13:31:27.738404+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest SiYuan release, which replaces the vulnerable Lute engine with a patched version.", "If an upgrade is not immediately possible, disable or remove Markdown hyperlink support in notes until the patch is applied.", "For shared documents, use client\u2011side sanitization to strip or escape <a> tags before rendering."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "Affected systems include SiYuan note version 3.5.4 and any earlier builds that embed Lute 1.7.6. Any deployment that uses the vulnerable engine is susceptible, regardless of the operating system environment.", "description_and_impact": "Lute, the Markdown engine used by SiYuan, contains a stored XSS flaw in versions 1.7.6 and earlier. An attacker can embed malicious JavaScript inside a Markdown note; when another user clicks the rendered content, the script runs in the victim\u2019s browser session. The weakness arises from improper sanitization of hyperlink targets, classified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 4.6 indicates moderate impact, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to create or modify a note containing the malicious hyperlink, implying a collaborative or shared documentation scenario is needed."}}}}, "created": "2026-02-09T10:49:49.184861+00:00", "updated": "2026-04-18T13:45:45.665146+00:00", "vendors": ["siyuan", "siyuan$PRODUCT$siyuan"]}