CVE-2026-54759
Received Received - Intake
XSS via Malicious iframe in SiYuan Electron Client

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, Lute's HTML sanitizer does not remove <iframe> elements. Combined with the SiYuan Electron client's permissive security configuration, an attacker can include a malicious <iframe> in a Bazaar package README that executes arbitrary commands on the victim's machine when the package details are viewed. No package installation is required. This vulnerability is fixed in 3.7.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-54759
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
siyuan siyuan 3.7.0
lute lute *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in SiYuan, an open-source personal knowledge management system, prior to version 3.7.0. The issue is due to Lute's HTML sanitizer not removing <iframe> elements. Because the SiYuan Electron client has a permissive security configuration, an attacker can embed a malicious <iframe> in a Bazaar package README file. When a user views the package details, the malicious iframe can execute arbitrary commands on the user's machine without requiring the package to be installed.

Impact Analysis

This vulnerability can lead to arbitrary command execution on the victim's machine simply by viewing a package's README details in the SiYuan client. This means an attacker can potentially run malicious code remotely without the user installing any software, which could result in system compromise, data theft, or other malicious activities.

Mitigation Strategies

To mitigate this vulnerability, upgrade SiYuan to version 3.7.0 or later, where the issue with Lute's HTML sanitizer not removing <iframe> elements is fixed.

Avoid viewing Bazaar package details in vulnerable versions prior to 3.7.0 to prevent execution of arbitrary commands.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54759. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart