Loading market data...
← Back to CVE feed

CVE-2026-54759

UNKNOWN View on NVD ↗

Description

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, Lute's HTML sanitizer does not remove <iframe> elements. Combined with the SiYuan Electron client's permissive security configuration, an attacker can include a malicious <iframe> in a Bazaar package README that executes arbitrary commands on the victim's machine when the package details are viewed. No package installation is required. This vulnerability is fixed in 3.7.0.

Published: Jun 24, 2026 22:16 UTC Modified: Jun 25, 2026 14:22 UTC