CVE-2026-23645

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.5.4-dev2

Description SiYuan Note does not properly sanitize uploaded SVG files. This allows a user to upload a malicious SVG file, such as one obtained from an untrusted source, which can then execute arbitrary JavaScript code within the user's authenticated session when viewed. The application permits authenticated users to upload files, including .svg images, without removing potentially harmful JavaScript code embedded within them. The vulnerability is triggered when a user exports the malicious SVG file, causing the embedded JavaScript to execute in their browser.

Recommendations Update SiYuan to version 3.5.4-dev2 or later.