CVE-2026-59833
Deferred Deferred - Pending Action

Stored XSS in SiYuan via Lute HTML Sanitization Bypass

Vulnerability report for CVE-2026-59833, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, SiYuan renders note and package content to HTML through the Lute engine with sanitization enabled, but Lute's dangerous javascript scheme block does not check form action or SVG xlink:href attributes, allowing stored cross-site scripting in document export-preview and Bazaar package README render paths that can execute OS commands in the Electron desktop renderer. This issue is fixed in versions 3.7.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
siyuan si_yuan 3.7.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects SiYuan, an open-source personal knowledge management system, in versions prior to 3.7.1. The issue arises because the Lute engine, which renders note and package content to HTML with sanitization enabled, does not properly check certain attributes such as form action or SVG xlink:href. This allows stored cross-site scripting (XSS) attacks in document export-preview and Bazaar package README render paths. Exploiting this vulnerability can lead to execution of operating system commands within the Electron desktop renderer.

Impact Analysis

The vulnerability can allow an attacker to execute arbitrary operating system commands on the affected system through the Electron desktop renderer. This can lead to unauthorized actions, data compromise, or control over the user's environment, potentially resulting in significant security risks.

Mitigation Strategies

The vulnerability is fixed in SiYuan version 3.7.1. Immediate mitigation involves upgrading SiYuan to version 3.7.1 or later.

Since the issue involves stored cross-site scripting in document export-preview and Bazaar package README render paths that can execute OS commands in the Electron desktop renderer, avoid opening or rendering untrusted documents or packages until the upgrade is applied.

Compliance Impact

The vulnerability CVE-2026-59833 allows stored cross-site scripting (XSS) that can escalate to remote code execution (RCE) in the SiYuan application. This can lead to unauthorized execution of OS commands via malicious JavaScript embedded in note or package content.

Such a vulnerability can compromise the confidentiality, integrity, and availability of data managed by SiYuan, potentially exposing sensitive personal or health information if used in environments subject to regulations like GDPR or HIPAA.

Failure to mitigate this vulnerability could result in non-compliance with these regulations due to inadequate protection against unauthorized access and code execution, which are critical for maintaining data security and privacy.

Therefore, organizations using affected versions of SiYuan prior to 3.7.1 should update promptly to avoid risks that could lead to regulatory violations.

Detection Guidance

Detection of CVE-2026-59833 involves identifying if your SiYuan installation is running a vulnerable version (prior to 3.7.1) and if malicious content exploiting the sanitizer gap is present.

Since the vulnerability exploits stored cross-site scripting via the `action` attribute of <form> elements and the `xlink:href` attribute of SVG <a> elements, you can scan exported HTML documents, Bazaar package README files, or notes for suspicious javascript: URLs in these attributes.

Suggested commands include using command-line tools like grep or specialized HTML parsers to search for these patterns in your SiYuan data directories or exported files.

  • grep -r -iE 'action=["\']javascript:' /path/to/siyuan/data
  • grep -r -iE 'xlink:href=["\']javascript:' /path/to/siyuan/data

Additionally, monitoring network traffic for unexpected script execution or Electron renderer activity might help detect exploitation attempts, but specific commands for this are not provided in the available resources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59833. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart