GHSA-PCJQ-J3MQ-JV5J

Vulnerability from github – Published: 2026-01-16 19:22 – Updated: 2026-01-21 16:12
VLAI?
Summary
SiYuan Has a Stored Cross-Site Scripting (XSS) Vulnerability via Unrestricted SVG File Upload
Details

Summary

A Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session.

Details

The application allows authenticated users to upload files, including .svg images, without sanitizing the input to remove embedded JavaScript code (such as tags or event handlers).

PoC

  1. Create a new "Daily note" in the workspace. image
  2. Create a file named test.svg with malicious JavaScript inside:
<svg xmlns="http://www.w3.org/2000/svg" width="200" height="200" viewBox="0 0 124 124" fill="none">
<rect width="124" height="124" rx="24" fill="red"/>
   <script type="text/javascript">  
      alert(window.origin);
   </script>
</svg>
  1. Upload a file in current daily note: image image image

  2. Open the file:

  3. Right-click the uploaded asset in the note.

  4. Select "Export" image
  5. The JavaScript code executes immediately. image image

Impact

The vulnerability allows to upload an SVG file containing malicious scripts. When a user exports this file, the embedded arbitrary JavaScript code is executed within their browser context

Notes

Tested version: image

Solution

https://github.com/siyuan-note/siyuan/issues/16844

Severity ?
5.3 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siyuan-note/siyuan/kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260116101155-11115da3d0de"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-23645"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-16T19:22:08Z",
    "nvd_published_at": "2026-01-16T20:15:49Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nA Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session.\n\n### Details\nThe application allows authenticated users to upload files, including .svg images, without sanitizing the input to remove embedded JavaScript code (such as \u003cscript\u003e tags or event handlers).\n\n### PoC\n1. Create a new \"Daily note\" in the workspace.\n\u003cimg width=\"1287\" height=\"572\" alt=\"image\" src=\"https://github.com/user-attachments/assets/3a4389b9-695d-4e1b-94dc-72efdb047aa9\" /\u003e\n2. Create a file named  test.svg with malicious JavaScript inside:\n\n```\n\u003csvg xmlns=\"http://www.w3.org/2000/svg\" width=\"200\" height=\"200\" viewBox=\"0 0 124 124\" fill=\"none\"\u003e\n\u003crect width=\"124\" height=\"124\" rx=\"24\" fill=\"red\"/\u003e\n   \u003cscript type=\"text/javascript\"\u003e  \n      alert(window.origin);\n   \u003c/script\u003e\n\u003c/svg\u003e\n```\n3. Upload a file in current daily note:\n\u003cimg width=\"1617\" height=\"316\" alt=\"image\" src=\"https://github.com/user-attachments/assets/6e14318a-08ec-48e5-b278-9174ad17cfcb\" /\u003e\n\u003cimg width=\"1482\" height=\"739\" alt=\"image\" src=\"https://github.com/user-attachments/assets/95c996e8-5591-436a-9467-ab56c9ffbde0\" /\u003e\n\u003cimg width=\"1321\" height=\"548\" alt=\"image\" src=\"https://github.com/user-attachments/assets/249fb187-3caa-4372-a9c9-56dfda6b8a8f\" /\u003e\n4. Open the file:\n\n- Right-click the uploaded asset in the note.\n- Select \"Export\"\n\u003cimg width=\"934\" height=\"718\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ec943dfa-92ba-47f6-8b1e-56e53f1b0ca6\" /\u003e\n5. The JavaScript code executes immediately.\n\u003cimg width=\"1033\" height=\"632\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a1611291-d333-4f8e-9da9-62104aaa1bdd\" /\u003e\n\u003cimg width=\"1381\" height=\"641\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d5018203-dbd0-4285-8702-8cb3e7c5cd07\" /\u003e\n\n### Impact\nThe vulnerability allows  to upload an SVG file containing malicious scripts. When a user  exports this file, the embedded arbitrary JavaScript code is executed within their browser context\n\n###  Notes\nTested  version: \n\u003cimg width=\"1440\" height=\"534\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a62271e4-6850-4f59-be88-c4f8055429c0\" /\u003e\n\n### Solution\n\nhttps://github.com/siyuan-note/siyuan/issues/16844",
  "id": "GHSA-pcjq-j3mq-jv5j",
  "modified": "2026-01-21T16:12:37Z",
  "published": "2026-01-16T19:22:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pcjq-j3mq-jv5j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23645"
    },
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/issues/16844"
    },
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/commit/11115da3d0de950593ee4ce375cf7f9018484388"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/siyuan-note/siyuan"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SiYuan Has a Stored Cross-Site Scripting (XSS) Vulnerability via Unrestricted SVG File Upload"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.