Back to overview

CVE-2026-59833

HIGH
8.6
CVSS 4.0
Description
SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, SiYuan renders note and package content to HTML through the Lute engine with sanitization enabled, but Lute's dangerous javascript scheme block does not check form action or SVG xlink:href attributes, allowing stored cross-site scripting in document export-preview and Bazaar package README render paths that can execute OS commands in the Electron desktop renderer. This issue is fixed in versions 3.7.1.

Metadata

CVE ID
CVE-2026-59833
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-07-07 15:00 UTC
Published
2026-07-09 22:17 UTC
Last updated
2026-07-09 22:17 UTC
Primary CWE
CWE-79
CWE-79: Improper Neutralization of Input During Web Page Gen…
Vendor / Product
siyuan-note / siyuan
Sources
cve.org  ·  NVD

Severity & Metrics

8.6 HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products (1)
VendorProductPlatformVersions
siyuan-note siyuan < 3.7.1
Weakness (CWE)
CWESourceDescription
CWE-116 cna CWE-116: Improper Encoding or Escaping of Output
CWE-79 cna CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94 cna CWE-94: Improper Control of Generation of Code ('Code Injection')
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.6 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References (3)
Back to overview