CVE-2026-25647 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Lute Markdown engine version 1.7.6 and earlier, which is integrated into the siyuan-note application before version 3.5.5. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), allowing an attacker to embed malicious JavaScript code within Markdown notes. When another user accesses and renders the compromised note, the injected script executes within their browser context, potentially exposing session tokens, cookies, or enabling actions on behalf of the victim user. The attack vector requires the attacker to have at least low privileges (PR:L) to submit malicious Markdown content and the victim to perform user interaction (UI:R), such as clicking or viewing the note. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N) indicates network attack vector, low attack complexity, and partial impact on confidentiality and integrity but no impact on availability. No public exploits have been reported yet, but the vulnerability poses a risk in collaborative environments where multiple users can create or edit notes. The lack of a patch link suggests users must upgrade to siyuan-note 3.5.5 or later, where this vulnerability is presumably fixed.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive information such as session cookies or user credentials if exploited, enabling further attacks like session hijacking or privilege escalation within the affected application. The integrity of note content can also be compromised, potentially misleading users or injecting malicious payloads into internal communications. Although availability is not impacted, the breach of confidentiality and integrity can undermine trust in collaboration platforms. Organizations using siyuan-note for knowledge management, documentation, or team collaboration are at risk, especially if untrusted users or external collaborators have note editing permissions. The medium severity rating reflects that exploitation requires some user interaction and privileges, limiting the scope but not eliminating risk. The absence of known exploits reduces immediate threat but does not preclude future attacks. European entities with strict data protection regulations (e.g., GDPR) must consider the risk of data leakage and reputational damage.

European organizations should immediately upgrade siyuan-note installations to version 3.5.5 or later, where this vulnerability is addressed. Until upgrading, restrict note creation and editing permissions to trusted users only to minimize injection risk. Implement input validation and sanitization on Markdown content at the application level to neutralize potentially malicious scripts. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. Monitor logs for unusual note content submissions or user activity indicative of exploitation attempts. Educate users to be cautious when interacting with notes from untrusted sources, especially avoiding clicking suspicious links or content. Regularly audit and review collaboration platform configurations and user permissions to enforce the principle of least privilege. Finally, maintain an incident response plan to quickly address any detected exploitation.