VYPR
Moderate severityOSV Advisory· Published Jan 16, 2026· Updated Jan 16, 2026

SiYuan Vulnerable to Stored Cross-Site Scripting (XSS) via Unrestricted SVG File Upload

CVE-2026-23645

Description

SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/siyuan-note/siyuan/kernelGo
< 0.0.0-20260116101155-11115da3d0de0.0.0-20260116101155-11115da3d0de

Affected products

3

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.

CVE-2026-23645 · moderate · VYPR