CVE-2026-54759
SiYuan: Lute HTML sanitizer allows `<iframe>` tags in Bazaar package README, leading to arbitrary command execution via SiYuan Electron client
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, Lute's HTML sanitizer does not remove <iframe> elements. Combined with the SiYuan Electron client's permissive security configuration, an attacker can include a malicious <iframe> in a Bazaar package README that executes arbitrary commands on the victim's machine when the package details are viewed. No package installation is required. This vulnerability is fixed in 3.7.0.
| CWE | CWE-79 |
| Vendor | siyuan-note |
| Product | siyuan |
| Published | Jun 24, 2026 |
Stay Ahead of the Next One
Get instant alerts for siyuan-note siyuan
Be the first to know when new unknown vulnerabilities affecting siyuan-note siyuan are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
siyuan-note / siyuan
< 3.7.0