CVE-2026-25647 — MEDIUM (4.6)

Vulnerability Description

Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier (as used in SiYuan before) has a Stored Cross-Site Scripting (XSS) vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note. When another user clicks the rendered content, the script executes in the context of their session.

CVSS Score

4.6

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
B3Log	Siyuan	3.5.4

Related Weaknesses (CWE)

CWE-79

References

https://github.com/88250/lute/commit/0118e218916cf0cc7df639b50ce74e0c6c3d1868Patch
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-rw25-98wq-76qvExploitVendor Advisory

FAQ

What is CVE-2026-25647?

CVE-2026-25647 is a vulnerability with a CVSS score of 4.6 (MEDIUM). Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier (as used in SiYuan before) has a Stored Cross-Site Scripting (XSS) vulnerability in the Markdown rendering eng...

How severe is CVE-2026-25647?

CVE-2026-25647 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-25647?

Check the references section above for vendor advisories and patch information. Affected products include: B3Log Siyuan.