CVE-2026-25647
📋 TL;DR
CVE-2026-25647 is a stored cross-site scripting (XSS) vulnerability in Lute's Markdown rendering engine that allows attackers to inject malicious JavaScript into Markdown content. When other users view or interact with the rendered content, the script executes in their browser session context. This affects users of Lute 1.7.6 and earlier, including SiYuan note software users.
💻 Affected Systems
- Lute
- SiYuan
📦 What is this software?
Siyuan by B3log
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as the victim user, redirect to malicious sites, or compromise user accounts if the application handles sensitive data.
Likely Case
Attackers inject malicious scripts into shared notes/markdown content, potentially stealing session tokens or performing limited unauthorized actions within the application.
If Mitigated
With proper input validation and output encoding, the impact is limited to content sanitization failures only.
🎯 Exploit Status
Exploitation requires ability to create or modify Markdown content that will be rendered for other users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Lute 1.7.7+
Vendor Advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-rw25-98wq-76qv
Restart Required: Yes
Instructions:
1. Update Lute to version 1.7.7 or later. 2. For SiYuan users, update to a version that includes the patched Lute engine. 3. Restart the application/service.
🔧 Temporary Workarounds
Input Sanitization
allImplement server-side input validation and sanitization for all user-provided Markdown content before rendering.
Content Security Policy
allImplement strict Content Security Policy headers to limit script execution sources.
🧯 If You Can't Patch
- Implement strict input validation and output encoding for all user-provided Markdown content.
- Disable JavaScript execution in rendered Markdown content through configuration or filtering.
🔍 How to Verify
Check if Vulnerable:
Check Lute version: if using 1.7.6 or earlier, you are vulnerable. Test by attempting to inject script tags in Markdown content and checking if they execute.Check Version:
Check package.json or go.mod for Lute version, or check application documentation for embedded engine version.Verify Fix Applied:
Update to Lute 1.7.7+ and test that script injection attempts are properly sanitized and do not execute.📡 Detection & Monitoring
Log Indicators:
- Unusual patterns in Markdown content submissions
- Multiple failed script injection attempts
- Unexpected JavaScript execution errors
Network Indicators:
- Requests containing suspicious script patterns in Markdown payloads
- Unexpected external resource loads from rendered content
SIEM Query:
Search for patterns like '<script>', 'javascript:', or encoded script payloads in user content submissions.