XSS in Siyuan-note Siyuan

CVE-2026-33066

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the backend renderREADME function uses lute.New() without calling SetSanitize(true), allowing raw HTML embedded in Markdown to pass through unmodified. The fron…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.001 (28.8th percentile) — read the EPSS interpretation.

Affected products

Siyuan-note Siyuan — versions < 3.6.1

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4663-4mpg-879v (x_refsource_CONFIRM)
https://github.com/siyuan-note/siyuan/commit/b382f50e1880ed996364509de5a10a72d7409428 (x_refsource_MISC)