GHSA-pcjq-j3mq-jv5j
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pcjq-j3mq-jv5j
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-pcjq-j3mq-jv5j/GHSA-pcjq-j3mq-jv5j.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-pcjq-j3mq-jv5j
- Aliases
- Published
- 2026-01-16T19:22:08Z
- Modified
- 2026-01-21T16:20:45.078205Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- SiYuan Has a Stored Cross-Site Scripting (XSS) Vulnerability via Unrestricted SVG File Upload
- Details
-
Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session.
Details
The application allows authenticated users to upload files, including .svg images, without sanitizing the input to remove embedded JavaScript code (such as <script> tags or event handlers).
PoC
- Create a new "Daily note" in the workspace. <img width="1287" height="572" alt="image" src="https://github.com/user-attachments/assets/3a4389b9-695d-4e1b-94dc-72efdb047aa9" />
- Create a file named test.svg with malicious JavaScript inside:
<svg xmlns="http://www.w3.org/2000/svg" width="200" height="200" viewBox="0 0 124 124" fill="none"> <rect width="124" height="124" rx="24" fill="red"/> <script type="text/javascript"> alert(window.origin); </script> </svg> - Upload a file in current daily note: <img width="1617" height="316" alt="image" src="https://github.com/user-attachments/assets/6e14318a-08ec-48e5-b278-9174ad17cfcb" /> <img width="1482" height="739" alt="image" src="https://github.com/user-attachments/assets/95c996e8-5591-436a-9467-ab56c9ffbde0" /> <img width="1321" height="548" alt="image" src="https://github.com/user-attachments/assets/249fb187-3caa-4372-a9c9-56dfda6b8a8f" />
- Open the file:
- Right-click the uploaded asset in the note.
- Select "Export" <img width="934" height="718" alt="image" src="https://github.com/user-attachments/assets/ec943dfa-92ba-47f6-8b1e-56e53f1b0ca6" />
- The JavaScript code executes immediately. <img width="1033" height="632" alt="image" src="https://github.com/user-attachments/assets/a1611291-d333-4f8e-9da9-62104aaa1bdd" /> <img width="1381" height="641" alt="image" src="https://github.com/user-attachments/assets/d5018203-dbd0-4285-8702-8cb3e7c5cd07" />
Impact
The vulnerability allows to upload an SVG file containing malicious scripts. When a user exports this file, the embedded arbitrary JavaScript code is executed within their browser context
Notes
Tested version: <img width="1440" height="534" alt="image" src="https://github.com/user-attachments/assets/a62271e4-6850-4f59-be88-c4f8055429c0" />
Solution
https://github.com/siyuan-note/siyuan/issues/16844
- Database specific
{ "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "nvd_published_at": "2026-01-16T20:15:49Z", "github_reviewed": true, "github_reviewed_at": "2026-01-16T19:22:08Z" }- References
-
- https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pcjq-j3mq-jv5j
- https://nvd.nist.gov/vuln/detail/CVE-2026-23645
- https://github.com/siyuan-note/siyuan/issues/16844
- https://github.com/siyuan-note/siyuan/commit/11115da3d0de950593ee4ce375cf7f9018484388
- https://github.com/siyuan-note/siyuan
Affected packages
Go / github.com/siyuan-note/siyuan/kernel
Package
- Name
- github.com/siyuan-note/siyuan/kernel
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/siyuan-note/siyuan/kernel