Stored Cross-Site Scripting in SiYuan Personal Knowledge Management System
CVE-2026-59833

8.6HIGH

Key Information:

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-59833?

SiYuan, an open-source personal knowledge management system, has a vulnerability affecting versions prior to 3.7.1. This vulnerability is due to Lute engine's insufficient sanitization of dangerous JavaScript schemes. Specifically, the sanitization does not adequately verify attributes like form action or SVG xlink:href. As a result, an attacker can exploit this flaw to enable stored cross-site scripting (XSS) attacks. These attacks can occur during document export-preview and in the rendering of Bazaar package README paths, potentially allowing the execution of OS commands through the Electron desktop renderer. Users are encouraged to upgrade to version 3.7.1 or later to mitigate this risk.

Affected Version(s)

siyuan < 3.7.1

References

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.