Unrated severityNVD Advisory· Published Feb 6, 2026· Updated Feb 9, 2026

Lute has a Stored Cross-Site Scripting (XSS) via Markdown hyperlink

CVE-2026-25647

Description

Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier (as used in SiYuan before) has a Stored Cross-Site Scripting (XSS) vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note. When another user clicks the rendered content, the script executes in the context of their session.

Affected products

Siyuan Note/Siyuanv5
Range: < 3.5.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/88250/lute/commit/0118e218916cf0cc7df639b50ce74e0c6c3d1868mitrex_refsource_MISC
github.com/siyuan-note/siyuan/security/advisories/GHSA-rw25-98wq-76qvmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000