CVE-2026-25647— Lute has a Stored Cross-Site Scripting (XSS) via Markdown hyperlink

Lute has a Stored Cross-Site Scripting (XSS) via Markdown hyperlink

Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier (as used in SiYuan before) has a Stored Cross-Site Scripting (XSS) vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note. When another user clicks the rendered content, the script executes in the context of their session.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

lute 跨站脚本漏洞

lute是D个人开发者的一款结构化的Markdown引擎。 lute 1.7.6及之前版本存在跨站脚本漏洞，该漏洞源于Markdown渲染引擎存在存储型跨站脚本，可能导致在用户会话环境中执行恶意JavaScript。

N/A

N/A