CVE-2026-23645
EPSS 0.02%SiYuan Has a Stored Cross-Site Scripting (XSS) Vulnerability via Unrestricted SVG File Upload
描述
### Summary A Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. ### Details The application allows authenticated users to upload files, including .svg images, without sanitizing the input to remove embedded JavaScript code (such as <script> tags or event handlers). ### PoC 1. Create a new "Daily note" in the workspace. <img width="1287" height="572" alt="image" src="https://github.com/user-attachments/assets/3a4389b9-695d-4e1b-94dc-72efdb047aa9" /> 2. Create a file named test.svg with malicious JavaScript inside: ``` <svg xmlns="http://www.w3.org/2000/svg" width="200" height="200" viewBox="0 0 124 124" fill="none"> <rect width="124" height="124" rx="24" fill="red"/> <script type="text/javascript"> alert(window.origin); </script> </svg> ``` 3. Upload a file in current daily note: <img width="1617" height="316" alt="image" src="https://github.com/user-attachments/assets/6e14318a-08ec-48e5-b278-9174ad17cfcb" /> <img width="1482" height="739" alt="image" src="https://github.com/user-attachments/assets/95c996e8-5591-436a-9467-ab56c9ffbde0" /> <img width="1321" height="548" alt="image" src="https://github.com/user-attachments/assets/249fb187-3caa-4372-a9c9-56dfda6b8a8f" /> 4. Open the file: - Right-click the uploaded asset in the note. - Select "Export" <img width="934" height="718" alt="image" src="https://github.com/user-attachments/assets/ec943dfa-92ba-47f6-8b1e-56e53f1b0ca6" /> 5. The JavaScript code executes immediately. <img width="1033" height="632" alt="image" src="https://github.com/user-attachments/assets/a1611291-d333-4f8e-9da9-62104aaa1bdd" /> <img width="1381" height="641" alt="image" src="https://github.com/user-attachments/assets/d5018203-dbd0-4285-8702-8cb3e7c5cd07" /> ### Impact The vulnerability allows to upload an SVG file containing malicious scripts. When a user exports this file, the embedded arbitrary JavaScript code is executed within their browser context ### Notes Tested version: <img width="1440" height="534" alt="image" src="https://github.com/user-attachments/assets/a62271e4-6850-4f59-be88-c4f8055429c0" /> ### Solution https://github.com/siyuan-note/siyuan/issues/16844
受影響套件(2)
- Go/github.com/siyuan-note/siyuan/kernelfrom 0, < 0.0.0-20260116101155-11115da3d0de
- Go/github.com/siyuan-note/siyuan/kernelfrom 0, < 0.0.0-20260116101155-11115da3d0de
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-23645
- PATCHhttps://github.com/siyuan-note/siyuan
- WEBhttps://github.com/siyuan-note/siyuan/commit/11115da3d0de950593ee4ce375cf7f9018484388
- WEBhttps://github.com/siyuan-note/siyuan/issues/16844
- WEBhttps://github.com/siyuan-note/siyuan/security/advisories/GHSA-pcjq-j3mq-jv5j