CVE-2026-23645

Description

SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

Passive

Confidentiality (Vulnerable System)

None

Integrity (Vulnerable System)

None

Availability (Vulnerable System)

None

Confidentiality (Subsequent System)

Low

Integrity (Subsequent System)

Low

Availability (Subsequent System)

None

Affected products

siyuan-note / siyuan< 3.5.4-dev2 – < 3.5.4-dev2

References

VENDOR_ADVISORYhttps://github.com/siyuan-note/siyuan/security/advisories/GHSA-pcjq-j3mq-jv5j
MISChttps://github.com/siyuan-note/siyuan/issues/16844
PATCHhttps://github.com/siyuan-note/siyuan/commit/11115da3d0de950593ee4ce375cf7f9018484388