QwikSec

Security Database

CVE

CWE

Training

CVE-2026-23645

Published: Jan 16, 2026

Modified: Jan 16, 2026

PUBLISHED

Description

SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2.

Vendor	Product	Versions
siyuan-note	siyuan	affected `< 3.5.4-dev2`

Weaknesses (CWE)

References

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pcjq-j3mq-jv5j

x_refsource_CONFIRM

https://github.com/siyuan-note/siyuan/issues/16844

x_refsource_MISC

https://github.com/siyuan-note/siyuan/commit/11115da3d0de950593ee4ce375cf7f9018484388

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.