cbcvebase.
CVE-2026-54759
published 2026-06-24

CVE-2026-54759: SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, Lute's HTML sanitizer does not remove elements. Combined with the SiYuan…

PriorityP353high8.7CVSS 4.0
AVNACLATNPRNUIPVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.26%
17.5th percentile
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, Lute's HTML sanitizer does not remove elements. Combined with the SiYuan Electron client's permissive security configuration, an attacker can include a malicious in a Bazaar package README that executes arbitrary commands on the victim's machine when the package details are viewed. No package installation is required. This vulnerability is fixed in 3.7.0.

Affected

1 ranges
VendorProductVersion rangeFixed in
siyuan-notesiyuan< 3.7.03.7.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.