CVE-2026-25647
Stored XSS in Lute Markdown Engine Allows Script Injection
Publication date: 2026-02-06
Last updated on: 2026-02-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| b3log | siyuan | 3.5.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25647 is a Stored Cross-Site Scripting (XSS) vulnerability in the Markdown rendering engine used by Siyuan Note and the Lute markdown engine. It occurs because the engine does not properly sanitize HTML attributes, especially in hyperlinks and image sources, allowing an attacker to inject malicious JavaScript code into Markdown notes.
When a user views and clicks on the rendered malicious Markdown content, the injected script executes in the context of their session, potentially compromising their security.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can lead to several security impacts including:'}, {'type': 'list_item', 'content': "Execution of malicious JavaScript in the context of a user's session."}, {'type': 'list_item', 'content': 'Theft of session cookies, which can allow attackers to hijack user sessions.'}, {'type': 'list_item', 'content': 'Unauthorized actions performed on behalf of the user via Cross-Site Request Forgery (CSRF).'}, {'type': 'list_item', 'content': 'Redirection of users to malicious websites.'}, {'type': 'list_item', 'content': 'Page defacement or manipulation of the Document Object Model (DOM) to alter the appearance or behavior of the web page.'}] [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying Markdown notes or content that contain malicious JavaScript payloads embedded in hyperlinks or image sources. Specifically, look for Markdown links with URI schemes such as "javascript:" or "data:" that could execute scripts when rendered.'}, {'type': 'paragraph', 'content': 'You can search for suspicious Markdown content using commands that scan files or database entries for patterns like "javascript:" in link hrefs.'}, {'type': 'list_item', 'content': "Use grep or similar tools to find suspicious Markdown links: grep -r '\\[.*\\](javascript:' /path/to/markdown/files"}, {'type': 'list_item', 'content': "Search for data URI schemes that might embed scripts: grep -r '\\[.*\\](data:' /path/to/markdown/files"}, {'type': 'list_item', 'content': "If the Markdown content is stored in a database, run SQL queries to find entries containing 'javascript:' or 'data:' in relevant fields."}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include updating the affected software to a patched version that includes proper sanitization of Markdown content.'}, {'type': 'paragraph', 'content': 'Specifically, upgrade Siyuan Note to version 3.5.5 or later, where the vulnerability has been fixed by enhancing the Lute Markdown engine to sanitize dangerous input in hyperlink (href) and image source (src) attributes.'}, {'type': 'paragraph', 'content': "Additionally, configure the Markdown parser to use a robust allowlist-based sanitization library such as DOMPurify to block dangerous URI schemes like 'javascript:' and 'data:' in Markdown links."}, {'type': 'paragraph', 'content': 'Avoid rendering untrusted Markdown content without sanitization, and educate users to be cautious about clicking links in Markdown notes.'}] [1, 2]