Executive Summary

CVE-2026-25647 is a Stored Cross-Site Scripting (XSS) vulnerability in the Markdown rendering engine used by Siyuan Note and the Lute markdown engine. It occurs because the engine does not properly sanitize HTML attributes, especially in hyperlinks and image sources, allowing an attacker to inject malicious JavaScript code into Markdown notes.

When a user views and clicks on the rendered malicious Markdown content, the injected script executes in the context of their session, potentially compromising their security.

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to several security impacts including:'}, {'type': 'list_item', 'content': "Execution of malicious JavaScript in the context of a user's session."}, {'type': 'list_item', 'content': 'Theft of session cookies, which can allow attackers to hijack user sessions.'}, {'type': 'list_item', 'content': 'Unauthorized actions performed on behalf of the user via Cross-Site Request Forgery (CSRF).'}, {'type': 'list_item', 'content': 'Redirection of users to malicious websites.'}, {'type': 'list_item', 'content': 'Page defacement or manipulation of the Document Object Model (DOM) to alter the appearance or behavior of the web page.'}] [2]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying Markdown notes or content that contain malicious JavaScript payloads embedded in hyperlinks or image sources. Specifically, look for Markdown links with URI schemes such as "javascript:" or "data:" that could execute scripts when rendered.'}, {'type': 'paragraph', 'content': 'You can search for suspicious Markdown content using commands that scan files or database entries for patterns like "javascript:" in link hrefs.'}, {'type': 'list_item', 'content': "Use grep or similar tools to find suspicious Markdown links: grep -r '\\[.*\\](javascript:' /path/to/markdown/files"}, {'type': 'list_item', 'content': "Search for data URI schemes that might embed scripts: grep -r '\\[.*\\](data:' /path/to/markdown/files"}, {'type': 'list_item', 'content': "If the Markdown content is stored in a database, run SQL queries to find entries containing 'javascript:' or 'data:' in relevant fields."}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include updating the affected software to a patched version that includes proper sanitization of Markdown content.'}, {'type': 'paragraph', 'content': 'Specifically, upgrade Siyuan Note to version 3.5.5 or later, where the vulnerability has been fixed by enhancing the Lute Markdown engine to sanitize dangerous input in hyperlink (href) and image source (src) attributes.'}, {'type': 'paragraph', 'content': "Additionally, configure the Markdown parser to use a robust allowlist-based sanitization library such as DOMPurify to block dangerous URI schemes like 'javascript:' and 'data:' in Markdown links."}, {'type': 'paragraph', 'content': 'Avoid rendering untrusted Markdown content without sanitization, and educate users to be cautious about clicking links in Markdown notes.'}] [1, 2]

Useful 0 Not Useful 0