CVE-2026-25647

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-25647

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25647.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-25647

Aliases

GHSA-rw25-98wq-76qv

Published

2026-02-06T19:03:36.847Z

Modified

2026-03-13T04:11:07.666950Z

Severity

4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Lute has a Stored Cross-Site Scripting (XSS) via Markdown hyperlink

Details

Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier (as used in SiYuan before) has a Stored Cross-Site Scripting (XSS) vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note. When another user clicks the rendered content, the script executes in the context of their session.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25647.json"
}

References

Affected packages

Git / github.com/88250/lute

Affected ranges

Type
Repo: https://github.com/88250/lute
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0118e218916cf0cc7df639b50ce74e0c6c3d1868

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25647.json"

Git / github.com/siyuan-note/siyuan

Affected ranges

Type: GIT
Repo: https://github.com/siyuan-note/siyuan
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

1ad1f14c7af8869eb8206701cbde3f8e12d0b5af

Affected versions

dev2.*

dev2.0.17-1

dev2.0.17-2

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.1.4

v0.1.5

v0.1.6

v0.1.7

v0.1.8

v0.1.9

v0.2.0

v0.2.1

v0.2.2

v0.2.3

v0.2.4

v0.2.5

v0.2.6

v0.2.7

v0.2.8

v0.2.9

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.3.4

v0.3.5

v0.3.6

v0.3.7

v0.3.8

v0.3.9

v0.4.0

v0.4.1

v0.4.1-x2

v0.4.2

v0.4.3

v0.4.3-x1

v0.4.32

v0.4.4

v0.4.5

v0.4.6

v0.4.7

v0.4.8

v0.4.9

v0.4.91

v0.4.92

v0.4.93

v0.4.94

v0.5.0

v0.5.1

v0.5.2

v0.5.3

v0.5.4

v0.5.41

v0.5.42

v0.5.43

v0.5.44

v0.5.45

v0.5.46

v0.5.5

v0.5.6

v0.5.6-alpha1

v0.5.7

v0.5.8

v0.5.9

v0.6.0

v0.6.1

v0.6.2

v0.6.3

v0.6.4

v0.6.5

v0.6.6

v0.6.7

v0.6.8

v0.7.0

v0.7.1

v0.7.5

v0.7.8

v0.8.0

v0.8.5

v0.9.0

v0.9.2

v0.9.5

v0.9.6

v0.9.7

v0.9.8

v0.9.9

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.0.6

v1.0.7

v1.0.8

v1.0.9

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.1.4

v1.1.5

v1.1.6

v1.1.7

v1.1.8

v1.1.81

v1.1.82

v1.1.83

v1.2.0

v1.2.0-beta1

v1.2.0-beta10

v1.2.0-beta11

v1.2.0-beta12

v1.2.0-beta13

v1.2.0-beta14

v1.2.0-beta15

v1.2.0-beta16

v1.2.0-beta2

v1.2.0-beta3

v1.2.0-beta4

v1.2.0-beta5

v1.2.0-beta6

v1.2.0-beta7

v1.2.0-beta8

v1.2.0-beta9

v1.2.0-rc1

v1.2.0-rc2

v1.2.0-rc3

v1.2.1

v1.2.2

v1.2.3

v1.2.31

v1.2.5

v1.2.6

v1.2.7

v1.2.8

v1.2.9

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.3.5

v1.3.6

v1.3.7

v1.3.8

v1.3.9

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.4.6

v1.4.7

v1.4.8

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.5.5

v1.5.5-beta1

v1.5.5-beta2

v1.5.5-beta3

v1.5.6

v1.6.0

v1.6.1

v1.6.2

v1.6.3

v1.7.0

v1.7.1

v1.7.10

v1.7.11

v1.7.2

v1.7.3

v1.7.4

v1.7.5

v1.7.6

v1.7.7

v1.7.8

v1.7.9

v1.8.0

v1.8.1

v1.8.2

v1.8.4

v1.8.5

v1.8.6

v1.8.7

v1.8.8

v1.8.9

v1.9.0

v1.9.1

v1.9.2

v1.9.3

v1.9.4

v1.9.5

v1.9.6

v1.9.7

v1.9.8

v1.9.9

v2.*

v2.0.0

v2.0.0-beta1

v2.0.0-beta2

v2.0.1

v2.0.10

v2.0.11

v2.0.12

v2.0.13

v2.0.14

v2.0.15

v2.0.15-dev1

v2.0.16

v2.0.17

v2.0.18

v2.0.19

v2.0.2

v2.0.20

v2.0.20-dev1

v2.0.21

v2.0.21-dev1

v2.0.22

v2.0.23

v2.0.24

v2.0.25

v2.0.26

v2.0.26-dev1

v2.0.26-dev2

v2.0.27

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.0.7

v2.0.8

v2.0.9

v2.1.0

v2.1.0-dev1

v2.1.1

v2.1.10

v2.1.11

v2.1.12

v2.1.13

v2.1.14

v2.1.2

v2.1.3

v2.1.3-dev1

v2.1.4

v2.1.5

v2.1.6

v2.1.6-dev1

v2.1.7

v2.1.8

v2.1.8-dev1

v2.1.9

v2.10.0

v2.10.1

v2.10.1-dev1

v2.10.10

v2.10.10-dev1

v2.10.11

v2.10.11-dev1

v2.10.11-dev2

v2.10.11-dev3

v2.10.12

v2.10.12-dev1

v2.10.12-dev2

v2.10.13

v2.10.13-dev1

v2.10.13-dev2

v2.10.13-dev3

v2.10.13-dev4

v2.10.13-dev5

v2.10.14

v2.10.14-dev1

v2.10.14-dev2

v2.10.15

v2.10.15-dev1

v2.10.15-dev2

v2.10.15-dev3

v2.10.16

v2.10.16-dev1

v2.10.16-dev2

v2.10.16-dev3

v2.10.2

v2.10.2-dev1

v2.10.3

v2.10.3-dev1

v2.10.3-dev2

v2.10.3-dev3

v2.10.4

v2.10.4-dev1

v2.10.4-dev2

v2.10.4-dev3

v2.10.5

v2.10.5-dev1

v2.10.5-dev2

v2.10.6

v2.10.6-dev1

v2.10.6-dev2

v2.10.6-dev3

v2.10.6-dev4

v2.10.7

v2.10.8

v2.10.8-dev1

v2.10.8-dev2

v2.10.8-dev3

v2.10.9

v2.10.9-dev1

v2.10.9-dev2

v2.10.9-dev3

v2.10.9-dev4

v2.10.9-dev5

v2.11.0

v2.11.0-dev1

v2.11.0-dev2

v2.11.0-dev3

v2.11.1

v2.11.1-dev1

v2.11.1-dev2

v2.11.1-dev3

v2.11.2

v2.11.2-dev1

v2.11.2-dev2

v2.11.2-dev3

v2.11.2-dev4

v2.11.2-dev5

v2.11.2-dev6

v2.11.3

v2.11.3-dev1

v2.11.3-dev2

v2.11.4

v2.11.4-dev1

v2.11.4-dev2

v2.11.4-dev3

v2.11.4-dev4

v2.11.4-dev5

v2.11.4-dev6

v2.12.0

v2.12.0-dev1

v2.12.1

v2.12.1-dev1

v2.12.1-dev2

v2.12.1-dev3

v2.12.2

v2.12.3

v2.12.3-dev1

v2.12.3-dev2

v2.12.3-dev3

v2.12.4

v2.12.4-dev1

v2.12.4-dev2

v2.12.5

v2.12.6

v2.12.6-dev1

v2.12.7

v2.12.7-dev1

v2.12.7-dev2

v2.12.8

v2.12.8-dev1

v2.12.8-dev2

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.3.0

v2.3.1

v2.3.2

v2.3.3

v2.4.0

v2.4.1

v2.4.10

v2.4.11

v2.4.12

v2.4.12-dev1

v2.4.12-dev2

v2.4.2

v2.4.3

v2.4.4

v2.4.5

v2.4.6

v2.4.7

v2.4.8

v2.4.9

v2.5.0

v2.5.0-dev1

v2.5.0-dev2

v2.5.1

v2.5.1-dev1

v2.5.1-dev2

v2.5.1-dev3

v2.5.1-dev4

v2.5.1-dev5

v2.5.2

v2.5.2-dev1

v2.5.2-dev2

v2.5.2-dev3

v2.5.3

v2.5.3-dev1

v2.5.3-dev2

v2.5.4

v2.5.4-dev1

v2.5.4-dev2

v2.5.5

v2.5.5-dev1

v2.6.0

v2.6.0-dev1

v2.6.0-dev2

v2.6.0-dev3

v2.6.1

v2.6.1-dev1

v2.6.1-dev2

v2.6.1-dev3

v2.6.1-dev4

v2.6.1-dev5

v2.6.1-dev6

v2.6.1-dev7

v2.6.2

v2.6.3

v2.6.3-dev1

v2.6.3-dev2

v2.6.3-dev3

v2.6.3-dev4

v2.6.3-dev5

v2.6.3-dev6

v2.7.0

v2.7.0-dev1

v2.7.0-dev2

v2.7.1

v2.7.1-dev1

v2.7.1-dev2

v2.7.1-dev3

v2.7.1-dev4

v2.7.1-dev5

v2.7.10

v2.7.2

v2.7.2-dev1

v2.7.2-dev2

v2.7.2-dev3

v2.7.3

v2.7.3-dev1

v2.7.3-dev2

v2.7.3-dev3

v2.7.3-dev4

v2.7.4

v2.7.4-dev1

v2.7.5

v2.7.5-dev1

v2.7.5-dev2

v2.7.6

v2.7.6-dev1

v2.7.6-dev2

v2.7.6-dev3

v2.7.6-dev4

v2.7.6-dev5

v2.7.7

v2.7.7-dev1

v2.7.7-dev2

v2.7.7-dev3

v2.7.7-dev4

v2.7.8

v2.7.8-dev1

v2.7.9

v2.7.9-dev1

v2.7.9-dev2

v2.8.0

v2.8.0-dev1

v2.8.0-dev2

v2.8.0-dev3

v2.8.1

v2.8.1-dev1

v2.8.1-dev2

v2.8.1-dev3

v2.8.10

v2.8.10-dev1

v2.8.10-dev2

v2.8.10-dev3

v2.8.10-dev4

v2.8.10-dev5

v2.8.2

v2.8.2-dev1

v2.8.2-dev2

v2.8.3

v2.8.3-dev1

v2.8.4

v2.8.4-dev1

v2.8.4-dev2

v2.8.5

v2.8.5-dev1

v2.8.5-dev2

v2.8.5-dev3

v2.8.6

v2.8.6-dev1

v2.8.6-dev2

v2.8.6-dev3

v2.8.6-dev4

v2.8.7

v2.8.7-dev1

v2.8.7-dev2

v2.8.7-dev3

v2.8.7-dev4

v2.8.7-dev5

v2.8.8

v2.8.8-dev1

v2.8.8-dev2

v2.8.8-dev3

v2.8.9

v2.8.9-dev1

v2.8.9-dev2

v2.8.9-dev3

v2.9.0

v2.9.0-dev1

v2.9.0-dev2

v2.9.1

v2.9.1-dev1

v2.9.1-dev2

v2.9.2

v2.9.2-dev1

v2.9.2-dev2

v2.9.2-dev3

v2.9.3

v2.9.3-dev1

v2.9.3-dev2

v2.9.3-dev3

v2.9.3-dev4

v2.9.4

v2.9.4-dev1

v2.9.4-dev2

v2.9.5

v2.9.5-dev1

v2.9.5-dev2

v2.9.6

v2.9.6-dev1

v2.9.7

v2.9.7-dev1

v2.9.7-dev2

v2.9.7-dev3

v2.9.8

v2.9.8-dev1

v2.9.8-dev2

v2.9.9

v2.9.9-dev1

v2.9.9-dev2

Other

v202205311650-dev

v3.*

v3.0.0

v3.0.0-dev1

v3.0.0-dev2

v3.0.1

v3.0.1-dev1

v3.0.1-dev2

v3.0.10

v3.0.10-dev1

v3.0.10-dev2

v3.0.10-dev3

v3.0.10-dev4

v3.0.10-dev5

v3.0.11

v3.0.11-dev1

v3.0.11-dev2

v3.0.11-dev3

v3.0.12

v3.0.12-dev1

v3.0.12-dev2

v3.0.12-dev3

v3.0.12-dev4

v3.0.12-dev5

v3.0.13

v3.0.13-dev1

v3.0.13-dev2

v3.0.13-dev3

v3.0.13-dev4

v3.0.14

v3.0.14-dev1

v3.0.14-dev2

v3.0.15

v3.0.15-dev1

v3.0.15-dev2

v3.0.16

v3.0.16-dev1

v3.0.16-dev2

v3.0.16-dev3

v3.0.17

v3.0.17-dev1

v3.0.17-dev2

v3.0.2

v3.0.2-dev1

v3.0.2-dev2

v3.0.3

v3.0.3-dev1

v3.0.3-dev2

v3.0.3-dev3

v3.0.3-dev4

v3.0.3-dev5

v3.0.3-dev6

v3.0.3-dev7

v3.0.4

v3.0.4-dev1

v3.0.4-dev2

v3.0.4-dev3

v3.0.5

v3.0.5-dev1

v3.0.5-dev2

v3.0.5-dev3

v3.0.5-dev4

v3.0.5-dev5

v3.0.6

v3.0.6-dev1

v3.0.6-dev2

v3.0.6-dev3

v3.0.7

v3.0.7-dev1

v3.0.8

v3.0.8-dev1

v3.0.8-dev2

v3.0.9

v3.1.0

v3.1.0-dev1

v3.1.0-dev10

v3.1.0-dev11

v3.1.0-dev12

v3.1.0-dev2

v3.1.0-dev3

v3.1.0-dev4

v3.1.0-dev5

v3.1.0-dev6

v3.1.0-dev7

v3.1.0-dev8

v3.1.0-dev9

v3.1.1

v3.1.1-dev1

v3.1.1-dev2

v3.1.10

v3.1.10-dev1

v3.1.10-dev2

v3.1.10-dev3

v3.1.10-dev4

v3.1.10-dev5

v3.1.10-dev6

v3.1.11

v3.1.11-dev1

v3.1.11-dev10

v3.1.11-dev11

v3.1.11-dev2

v3.1.11-dev3

v3.1.11-dev4

v3.1.11-dev5

v3.1.11-dev6

v3.1.11-dev7

v3.1.11-dev8

v3.1.11-dev9

v3.1.12

v3.1.12-dev1

v3.1.12-dev2

v3.1.12-dev3

v3.1.12-dev4

v3.1.12-dev5

v3.1.12-dev6

v3.1.13

v3.1.14

v3.1.14-dev1

v3.1.14-dev2

v3.1.14-dev3

v3.1.14-dev4

v3.1.14-dev5

v3.1.14-dev6

v3.1.14-dev7

v3.1.15

v3.1.15-dev1

v3.1.15-dev2

v3.1.15-dev3

v3.1.16

v3.1.16-dev1

v3.1.16-dev2

v3.1.17

v3.1.17-dev1

v3.1.17-dev2

v3.1.18

v3.1.18-dev1

v3.1.18-dev2

v3.1.19

v3.1.19-dev1

v3.1.19-dev2

v3.1.19-dev3

v3.1.2

v3.1.2-dev1

v3.1.2-dev2

v3.1.2-dev3

v3.1.2-dev4

v3.1.20

v3.1.20-dev1

v3.1.20-dev2

v3.1.20-dev3

v3.1.20-dev4

v3.1.21

v3.1.21-dev1

v3.1.21-dev2

v3.1.21-dev3

v3.1.21-dev4

v3.1.22

v3.1.22-dev1

v3.1.22-dev2

v3.1.23

v3.1.23-dev1

v3.1.23-dev2

v3.1.24

v3.1.24-dev1

v3.1.24-dev2

v3.1.24-dev3

v3.1.25

v3.1.25-dev1

v3.1.25-dev2

v3.1.25-dev3

v3.1.25-dev4

v3.1.25-dev5

v3.1.25-dev6

v3.1.26

v3.1.26-dev1

v3.1.26-dev2

v3.1.26-dev3

v3.1.27

v3.1.27-dev1

v3.1.27-dev2

v3.1.27-dev3

v3.1.27-dev4

v3.1.28

v3.1.28-dev1

v3.1.28-dev2

v3.1.28-dev3

v3.1.29

v3.1.29-dev1

v3.1.29-dev2

v3.1.29-dev3

v3.1.29-dev4

v3.1.29-dev5

v3.1.29-dev6

v3.1.29-dev7

v3.1.3

v3.1.3-dev1

v3.1.3-dev2

v3.1.30

v3.1.30-dev1

v3.1.31

v3.1.31-dev1

v3.1.31-dev2

v3.1.32

v3.1.32-dev1

v3.1.32-dev2

v3.1.32-dev3

v3.1.32-dev4

v3.1.32-dev5

v3.1.4

v3.1.4-dev1

v3.1.4-dev2

v3.1.4-dev3

v3.1.4-dev4

v3.1.4-dev5

v3.1.5

v3.1.5-dev1

v3.1.5-dev2

v3.1.6

v3.1.6-dev1

v3.1.6-dev2

v3.1.7

v3.1.7-dev1

v3.1.7-dev2

v3.1.7-dev3

v3.1.7-dev4

v3.1.7-dev5

v3.1.7-dev6

v3.1.7-dev7

v3.1.7-dev8

v3.1.8

v3.1.8-dev1

v3.1.8-dev2

v3.1.8-dev3

v3.1.9

v3.1.9-dev1

v3.1.9-dev10

v3.1.9-dev2

v3.1.9-dev3

v3.1.9-dev4

v3.1.9-dev5

v3.1.9-dev6

v3.1.9-dev7

v3.1.9-dev8

v3.1.9-dev9

v3.2.0

v3.2.0-dev1

v3.2.0-dev10

v3.2.0-dev2

v3.2.0-dev3

v3.2.0-dev4

v3.2.0-dev5

v3.2.0-dev6

v3.2.0-dev7

v3.2.0-dev8

v3.2.0-dev9

v3.2.1

v3.2.1-dev1

v3.2.1-dev2

v3.2.1-dev3

v3.2.1-dev4

v3.2.1-dev5

v3.2.1-dev6

v3.3.0

v3.3.0-dev1

v3.3.0-dev2

v3.3.0-dev3

v3.3.0-dev4

v3.3.0-dev5

v3.3.0-dev6

v3.3.0-dev7

v3.3.1

v3.3.1-dev1

v3.3.2

v3.3.2-dev1

v3.3.2-dev2

v3.3.3

v3.3.3-dev1

v3.3.3-dev2

v3.3.3-dev3

v3.3.3-dev4

v3.3.3-dev5

v3.3.4

v3.3.4-dev1

v3.3.4-dev2

v3.3.5

v3.3.5-dev1

v3.3.6

v3.3.6-dev1

v3.3.6-dev2

v3.4.0

v3.4.0-dev1

v3.4.0-dev2

v3.4.0-dev3

v3.4.0-dev4

v3.4.0-dev5

v3.4.1

v3.4.1-dev1

v3.4.1-dev2

v3.4.2

v3.4.2-dev1

v3.5.0

v3.5.0-dev1

v3.5.0-dev2

v3.5.1

v3.5.1-dev1

v3.5.1-dev2

v3.5.2

v3.5.2-dev1

v3.5.2-dev2

v3.5.3

v3.5.3-dev1

v3.5.3-dev2

v3.5.3-dev3

v3.5.3-dev4

v3.5.3-dev5

v3.5.3-dev6

v3.5.4

v3.5.4-dev1

v3.5.4-dev2

v3.5.4-dev3

v3.5.4-dev4

v3.5.4-dev5

v3.5.4-dev6

v3.5.5-dev1

v3.5.5-dev2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25647.json"