CVE-2026-23645

SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/siyuan-note/siyuan/commit/11115da3d0de950593ee4ce375cf7f9018484388	Patch
https://github.com/siyuan-note/siyuan/issues/16844	Issue Tracking Patch
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pcjq-j3mq-jv5j	Exploit Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:b3log:siyuan::::::::
	cpe:2.3:a:b3log:siyuan:3.5.4:dev1::::::

History

17 Jun 2026, 10:21

Type	Values Removed	Values Added
Summary		(es) SiYuan es un software de gestión de conocimiento personal de código abierto y autoalojado. Antes de la versión 3.5.4-dev2, existe una vulnerabilidad de cross-site scripting (XSS) almacenado en SiYuan Note. La aplicación no sanitiza los archivos SVG subidos. Si un usuario sube y visualiza un archivo SVG malicioso (por ejemplo, importado de una fuente no confiable), se ejecuta código JavaScript arbitrario en el contexto de su sesión autenticada. Esta vulnerabilidad se ha corregido en la versión 3.5.4-dev2.
References	~~() https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pcjq-j3mq-jv5j - Exploit, Vendor Advisory, Patch~~	() https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pcjq-j3mq-jv5j - Exploit, Patch, Vendor Advisory

30 Jan 2026, 19:32

Type	Values Removed	Values Added
References	~~() https://github.com/siyuan-note/siyuan/commit/11115da3d0de950593ee4ce375cf7f9018484388 -~~	() https://github.com/siyuan-note/siyuan/commit/11115da3d0de950593ee4ce375cf7f9018484388 - Patch
References	~~() https://github.com/siyuan-note/siyuan/issues/16844 -~~	() https://github.com/siyuan-note/siyuan/issues/16844 - Issue Tracking, Patch
References	~~() https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pcjq-j3mq-jv5j -~~	() https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pcjq-j3mq-jv5j - Exploit, Vendor Advisory, Patch
First Time		B3log B3log siyuan
CPE		cpe:2.3:a:b3log:siyuan:3.5.4:dev1:::::: cpe:2.3:a:b3log:siyuan::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1

16 Jan 2026, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-16 20:15

Updated : 2026-06-17 10:21

NVD link : CVE-2026-23645

Mitre link : CVE-2026-23645

CVE.ORG link : CVE-2026-23645

JSON object : View

Products Affected

b3log

siyuan

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10