Lucene search
+L

28 matches found

EUVD
EUVD
added last week7 views

EUVD-2026-39126

SiYuan: Stored XSS in Bazaar marketplace via package README event handlers...

7.1CVSS6.1AI score0.0018EPSS
Exploits0References2
CVE
CVE
added 2026/07/09 10:17 p.m.10 views

CVE-2026-59833

SiYuan (open-source PIM) prior to 3.7.1 uses Lute with sanitization, but the per-attribute URL-scheme sanitizer fails to check form action and SVG xlink:href attributes. This allows stored XSS in document export-preview and Bazaar package README rendering paths, with potential to execute OS comma...

8.6CVSS5.9AI score0.00388EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/09 10:17 p.m.32 views

CVE-2026-59833 SiYuan: Stored XSS to RCE in SiYuan via a per-attribute URL-scheme sanitizer gap in Lute (form action / SVG xlink:href)

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, SiYuan renders note and package content to HTML through the Lute engine with sanitization enabled, but Lute's dangerous javascript scheme block does not check form action or SVG xlink:href attributes, allowing stored...

8.6CVSS0.00388EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/07/09 10:17 p.m.6 views

CVE-2026-59833

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, SiYuan renders note and package content to HTML through the Lute engine with sanitization enabled, but Lute's dangerous javascript scheme block does not check form action or SVG xlink:href attributes, allowing stored...

8.6CVSS5.9AI score0.00388EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/07/09 10:17 p.m.3 views

CVE-2026-59833 SiYuan: Stored XSS to RCE in SiYuan via a per-attribute URL-scheme sanitizer gap in Lute (form action / SVG xlink:href)

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, SiYuan renders note and package content to HTML through the Lute engine with sanitization enabled, but Lute's dangerous javascript scheme block does not check form action or SVG xlink:href attributes, allowing stored...

8.6CVSS6.1AI score0.00388EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/09 12:0 a.m.9 views

PT-2026-57008

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.7.1 Description SiYuan uses the Lute engine to render note and package content into HTML. A flaw in the sanitization process occurs because the dangerous javascript scheme block fails to validate the form action and...

8.6CVSS6.1AI score0.00388EPSS
Exploits0References5
NVD
NVD
added 2026/06/24 10:16 p.m.10 views

CVE-2026-54070

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, renderPackageREADME in kernel/bazaar/readme.go renders a Bazaar package README from Markdown to HTML with the lute engine and SetSanitizetrue. The lute sanitizer is an event-handler blocklist: allowAttr rejects only...

7.1CVSS0.0018EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/24 9:21 p.m.21 views

CVE-2026-54759 SiYuan: Lute HTML sanitizer allows `<iframe>` tags in Bazaar package README, leading to arbitrary command execution via SiYuan Electron client

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, Lute's HTML sanitizer does not remove elements. Combined with the SiYuan Electron client's permissive security configuration, an attacker can include a malicious in a Bazaar package README that executes arbitrary...

8.7CVSS0.00262EPSS
Exploits0References1
CVE
CVE
added 2026/06/24 9:21 p.m.12 views

CVE-2026-54759

SiYuan’s Lute HTML sanitizer (prior to version 3.7.0) fails to remove elements. When combined with the SiYuan Electron client’s permissive security configuration, a malicious in a Bazaar package README can trigger arbitrary command execution on the victim’s machine when package details are view...

8.7CVSS6.1AI score0.00262EPSS
Exploits0References1
OSV
OSV
added 2026/06/24 9:21 p.m.4 views

CVE-2026-54759 SiYuan: Lute HTML sanitizer allows `<iframe>` tags in Bazaar package README, leading to arbitrary command execution via SiYuan Electron client

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, Lute's HTML sanitizer does not remove elements. Combined with the SiYuan Electron client's permissive security configuration, an attacker can include a malicious in a Bazaar package README that executes arbitrary...

8.7CVSS6.1AI score0.00262EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/04/14 11:12 p.m.10 views

SiYuan has incomplete fix for CVE-2026-33066: XSS

Summary The incomplete fix for SiYuan's bazaar README rendering enables the Lute HTML sanitizer but fails to block tags, allowing stored XSS via srcdoc attributes containing embedded scripts that execute in the Electron context. Affected Package - Ecosystem: Go - Package:...

9CVSS7AI score0.00584EPSS
Exploits2References7Affected Software1
RedhatCVE
RedhatCVE
added 2026/02/07 7:31 p.m.7 views

CVE-2026-25647

Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier as used in SiYuan before has a Stored Cross-Site Scripting XSS vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note. When another user clicks...

5.4CVSS5.4AI score0.00204EPSS
Exploits1References1
NVD
NVD
added 2026/02/06 7:16 p.m.6 views

CVE-2026-25647

Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier as used in SiYuan before has a Stored Cross-Site Scripting XSS vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note. When another user clicks...

5.4CVSS0.00204EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/02/06 7:3 p.m.3 views

CVE-2026-25647 Lute has a Stored Cross-Site Scripting (XSS) via Markdown hyperlink

Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier as used in SiYuan before has a Stored Cross-Site Scripting XSS vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note. When another user clicks...

4.6CVSS5.5AI score0.00204EPSS
Exploits1References2
EUVD
EUVD
added 2026/02/06 7:3 p.m.5 views

EUVD-2026-5622

Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier as used in SiYuan before has a Stored Cross-Site Scripting XSS vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note. When another user clicks...

4.6CVSS5.4AI score0.00204EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/02/06 7:3 p.m.5 views

CVE-2026-25647

Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier as used in SiYuan before has a Stored Cross-Site Scripting XSS vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note. When another user clicks...

4.6CVSS5.5AI score0.00204EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2026/02/06 7:3 p.m.14 views

CVE-2026-25647

Lute

5.4CVSS5.5AI score0.00204EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2026/02/06 7:3 p.m.5 views

CVE-2026-25647 Lute has a Stored Cross-Site Scripting (XSS) via Markdown hyperlink

Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier as used in SiYuan before has a Stored Cross-Site Scripting XSS vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note. When another user clicks...

4.6CVSS5.5AI score0.00204EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/02/06 12:0 a.m.4 views

PT-2026-6776

Name of the Vulnerable Software and Affected Versions Lute versions prior to 1.7.7 Description Lute, a structured Markdown engine supporting Go and JavaScript, contains a Stored Cross-Site Scripting XSS issue in its Markdown rendering engine. An attacker can inject malicious JavaScript into...

4.6CVSS5.5AI score0.00204EPSS
Exploits1References6
CNNVD
CNNVD
added 2026/02/06 12:0 a.m.10 views

lute 跨站脚本漏洞

Lute is a structured Markdown engine developed by D individual. Versions of Lute 1.7.6 and earlier had a cross-site scripting vulnerability. This vulnerability stemmed from the Markdown rendering engine’s storage-based cross-site scripting feature, which could allow malicious JavaScript to be...

5.4CVSS5.6AI score0.00204EPSS
Exploits1References2
Rows per page
Query Builder