Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23645

CVE-2026-23645: SiYuan Note Stored XSS Vulnerability

CVE-2026-23645 is a stored cross-site scripting vulnerability in SiYuan Note that allows malicious SVG files to execute JavaScript in user sessions. This article covers technical details, affected versions, and mitigation steps.

Published:

CVE-2026-23645 Overview

CVE-2026-23645 is a Stored Cross-Site Scripting (XSS) vulnerability in SiYuan Note, a self-hosted, open source personal knowledge management software. The application fails to properly sanitize uploaded SVG files, allowing arbitrary JavaScript code execution when a user uploads and views a malicious SVG file. This is particularly dangerous when importing content from untrusted sources, as the malicious script executes within the context of the user's authenticated session.

Critical Impact

Attackers can execute arbitrary JavaScript in authenticated user sessions by tricking users into importing malicious SVG files, potentially leading to session hijacking, data theft, or account compromise.

Affected Products

  • SiYuan Note versions prior to 3.5.4-dev2
  • Self-hosted SiYuan installations with SVG file upload functionality
  • Users importing SVG files from untrusted external sources

Discovery Timeline

  • 2026-01-16 - CVE-2026-23645 published to NVD
  • 2026-01-16 - Last updated in NVD database

Technical Details for CVE-2026-23645

Vulnerability Analysis

This Stored Cross-Site Scripting vulnerability stems from insufficient input validation on SVG file uploads in SiYuan Note. SVG (Scalable Vector Graphics) files are XML-based and can contain embedded JavaScript code within <script> elements or event handlers like onload, onclick, or onerror attributes. When SiYuan renders these SVG files without sanitization, the embedded scripts execute in the browser context of the authenticated user.

The attack surface is particularly concerning because knowledge management applications frequently involve importing and sharing content. Users may receive SVG files from colleagues, download templates from the internet, or import notebooks from external sources—all of which could contain weaponized SVG files.

Root Cause

The root cause is the absence of script sanitization for SVG files stored as assets within SiYuan Note. Unlike HTML content which may have had some sanitization controls, SVG files were processed and rendered without filtering potentially dangerous JavaScript elements and event handlers. This oversight allowed the persistent storage and execution of malicious scripts.

Attack Vector

The attack requires user interaction—specifically, a victim must upload and then view a malicious SVG file. The attack can be delivered through several vectors:

  1. Phishing: An attacker sends a notebook export or SVG asset disguised as legitimate content
  2. Shared Workspaces: In collaborative environments, an attacker places a malicious SVG in shared storage
  3. Import Functionality: Malicious SVG embedded in imported markdown or note packages

Once the SVG is viewed, the JavaScript executes with the same privileges as the authenticated user, enabling session token theft, data exfiltration, or further manipulation of the user's notes and configuration.

text
   "click": "نقر",
   "allowHTMLBLockScript": "‫السماح بتنفيذ البرامج النصية في كتل HTML‬",
   "allowHTMLBLockScriptTip": "‫بعد التمكين، لن يتم تصحيح البرنامج النصي في كتلة HTML، يرجى إدراك المخاطر المحتملة لهجمات XSS‬",
+  "allowSVGScript": "السماح بتشغيل السكربتات داخل SVG",
+  "allowSVGScriptTip": "عند التفعيل، لن يتم تصفية الكود داخل SVG لأغراض الأمان. يرجى الانتباه إلى مخاطر XSS المحتملة",
   "autoLaunchMode0": "عدم التشغيل تلقائيًا",
   "autoLaunchMode1": "التشغيل التلقائي بعد الإقلاع",
   "autoLaunchMode2": "التشغيل التلقائي وتقليل الواجهة الرئيسية بعد الإقلاع",

Source: GitHub Commit

The patch introduces a new configuration option allowSVGScript that defaults to disabled, preventing script execution within SVG files unless explicitly enabled by the user who acknowledges the XSS risk.

Detection Methods for CVE-2026-23645

Indicators of Compromise

  • SVG files in the SiYuan assets directory containing <script> tags or JavaScript event handlers
  • Unexpected network requests originating from the SiYuan application to external domains
  • Browser console errors or script execution logs when viewing SVG assets
  • Presence of SVG files with encoded or obfuscated JavaScript content

Detection Strategies

  • Implement file content scanning for SVG uploads to detect embedded script elements
  • Monitor for SVG files containing suspicious patterns such as javascript:, <script>, onerror=, onload=, or Base64-encoded payloads
  • Review browser developer tools for unexpected script execution when viewing note assets
  • Deploy Content Security Policy (CSP) headers to restrict inline script execution

Monitoring Recommendations

  • Enable verbose logging for file uploads and asset access in SiYuan Note
  • Set up alerts for SVG files with script-related content patterns in upload directories
  • Monitor outbound network connections from the SiYuan process for data exfiltration attempts
  • Regularly audit imported content and shared notebooks for suspicious SVG files

How to Mitigate CVE-2026-23645

Immediate Actions Required

  • Upgrade SiYuan Note to version 3.5.4-dev2 or later immediately
  • Review existing SVG files in your SiYuan assets for potentially malicious content
  • Avoid importing SVG files from untrusted or unverified sources
  • If upgrade is not immediately possible, manually inspect all SVG files before viewing

Patch Information

The vulnerability has been addressed in SiYuan Note version 3.5.4-dev2. The fix implements SVG script sanitization by default, with a new user-configurable option allowSVGScript that must be explicitly enabled to permit script execution within SVG files. Users can review the patch details in the GitHub commit and the GitHub Security Advisory.

Workarounds

  • Disable SVG file uploads entirely until the patch can be applied
  • Implement server-side SVG sanitization using libraries that strip script elements before storage
  • Use browser extensions or CSP configurations to block inline script execution from SVG content
  • Isolate SiYuan Note in a sandboxed environment to limit the impact of potential XSS attacks
bash
# Verify SiYuan Note version after upgrade
# Check the application settings or about page for version 3.5.4-dev2 or later

# Scan existing SVG files for potential XSS payloads
grep -rn -E "(script|javascript:|onerror|onload)" /path/to/siyuan/data/assets/*.svg

# Review SVG files containing suspicious content before viewing

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne