XSS in Siyuan-note Siyuan

CVE-2026-40922

SiYuan is an open-source personal knowledge management system. In versions 3.6.1 through 3.6.3, a prior fix for XSS in bazaar README rendering (incomplete fix for CVE-2026-33066) enabled the Lute HTML sanitizer, but the sanitizer does not…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (12.6th percentile) — read the EPSS interpretation.

Affected products

Siyuan-note Siyuan — versions < 3.6.4

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-8q5w-mmxf-48jg (x_refsource_CONFIRM)
https://github.com/siyuan-note/siyuan/commit/b382f50e1880ed996364509de5a10a72d7409428 (x_refsource_MISC)
https://github.com/advisories/GHSA-4663-4mpg-879v (x_refsource_MISC)
https://github.com/siyuan-note/siyuan/releases/tag/v3.6.4 (x_refsource_MISC)