CVE-2026-54759
Deferred Deferred - Pending Action

XSS via Malicious iframe in SiYuan Electron Client

Vulnerability report for CVE-2026-54759, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, Lute's HTML sanitizer does not remove <iframe> elements. Combined with the SiYuan Electron client's permissive security configuration, an attacker can include a malicious <iframe> in a Bazaar package README that executes arbitrary commands on the victim's machine when the package details are viewed. No package installation is required. This vulnerability is fixed in 3.7.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-06-25
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
siyuan siyuan 3.7.0
lute lute *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability involves the inclusion of malicious <iframe> elements in Bazaar package README files that execute arbitrary commands when viewed in the SiYuan Electron client. Detection can focus on identifying such malicious <iframe> tags within README files or monitoring for suspicious Electron client behavior.

Since the vulnerability exploits the presence of <iframe> tags in package README files, one approach is to scan README files for <iframe> elements.

  • Use a command like `grep -r '<iframe' /path/to/bazaar/packages/` to search recursively for <iframe> tags in README files.
  • Monitor network traffic for unexpected cross-origin API requests initiated by the SiYuan Electron client, which may indicate exploitation attempts.

However, no specific detection commands or tools are provided in the available resources.

Executive Summary

This vulnerability exists in SiYuan, an open-source personal knowledge management system, prior to version 3.7.0. The issue is due to Lute's HTML sanitizer not removing <iframe> elements. Because the SiYuan Electron client has a permissive security configuration, an attacker can embed a malicious <iframe> in a Bazaar package README file. When a user views the package details, the malicious iframe can execute arbitrary commands on the user's machine without requiring the package to be installed.

Impact Analysis

This vulnerability can lead to arbitrary command execution on the victim's machine simply by viewing a package's README details in the SiYuan client. This means an attacker can potentially run malicious code remotely without the user installing any software, which could result in system compromise, data theft, or other malicious activities.

Mitigation Strategies

To mitigate this vulnerability, upgrade SiYuan to version 3.7.0 or later, where the issue with Lute's HTML sanitizer not removing <iframe> elements is fixed.

Avoid viewing Bazaar package details in vulnerable versions prior to 3.7.0 to prevent execution of arbitrary commands.

Compliance Impact

The vulnerability allows remote code execution and potential access to user data by exploiting the inclusion of malicious <iframe> elements in package READMEs. This unauthorized access and execution could lead to data breaches or unauthorized data manipulation, which may violate data protection requirements under standards like GDPR and HIPAA.

Specifically, since the attack can execute arbitrary commands and potentially access sensitive user data without user consent, it poses risks to confidentiality, integrity, and availability of data, which are core principles in regulations such as GDPR and HIPAA.

Therefore, organizations using affected versions of SiYuan prior to 3.7.0 may face compliance challenges if this vulnerability is exploited, as it undermines the security controls required to protect personal and sensitive information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54759. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart