Description
SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2.
Published: 2026-01-16
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting execution in an authenticated user’s session
Action: Patch Upgrade
AI Analysis

Impact

The vulnerability allows an attacker to upload a crafted SVG file that the application fails to sanitize. When a legitimate user opens the file, arbitrary JavaScript runs within the context of that user’s authenticated session, potentially stealing session credentials or manipulating the user’s data. The weakness is a classic stored XSS, matching the CWE‑79 classification.

Affected Systems

The flaw affects versions of Siyuan Note prior to 3.5.4‑dev2, including the 3.5.4‑dev1 release. It is present in the open‑source self‑hosted knowledge‑management software developed by B3log.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1 % signals a low likelihood of exploitation at this time. The bug is not listed in the Current Exploited Vulnerabilities catalog, so no known widespread attacks are reported. Exploitation requires a user with upload privileges to deliver the malicious SVG; once the file is processed, the attacker can execute code in that user’s browser.

Generated by OpenCVE AI on April 18, 2026 at 16:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to version 3.5.4-dev2 or later to apply the SVG sanitization fix.
  • Delete or quarantine any SVG files that were uploaded before the fix was applied.
  • Restrict file upload types to safe formats and enforce MIME type validation to prevent SVG uploads if not required.

Generated by OpenCVE AI on April 18, 2026 at 16:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pcjq-j3mq-jv5j SiYuan Has a Stored Cross-Site Scripting (XSS) Vulnerability via Unrestricted SVG File Upload
History

Fri, 30 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared B3log
B3log siyuan
CPEs cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*
cpe:2.3:a:b3log:siyuan:3.5.4:dev1:*:*:*:*:*:*
Vendors & Products B3log
B3log siyuan
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Siyuan
Siyuan siyuan
Vendors & Products Siyuan
Siyuan siyuan

Sat, 17 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 19:30:00 +0000

Type Values Removed Values Added
Description SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2.
Title SiYuan Vulnerable to Stored Cross-Site Scripting (XSS) via Unrestricted SVG File Upload
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

B3log Siyuan
Siyuan Siyuan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-16T21:37:58.336Z

Reserved: 2026-01-14T16:08:37.484Z

Link: CVE-2026-23645

cve-icon Vulnrichment

Updated: 2026-01-16T21:37:54.255Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-16T20:15:49.880

Modified: 2026-01-30T19:32:11.660

Link: CVE-2026-23645

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:15:04Z

Weaknesses