Server side cross-site scripting In github.com/siyuan-note/siyuan/kernel
Description
SiYuan Has a Stored Cross-Site Scripting (XSS) Vulnerability via Unrestricted SVG File Upload
Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session.
Details
The application allows authenticated users to upload files, including .svg images, without sanitizing the input to remove embedded JavaScript code (such as
PoC
Create a new "Daily note" in the workspace.
Create a file named test.svg with malicious JavaScript inside:
<svg xmlns="http://www.w3.org/2000/svg" width="200" height="200" viewBox="0 0 124 124" fill="none"> <rect width="124" height="124" rx="24" fill="red"/> <script type="text/javascript"> alert(window.origin); </script> </svg>
Upload a file in current daily note:
Right-click the uploaded asset in the note.
Select "Export"
The JavaScript code executes immediately.
Impact
The vulnerability allows to upload an SVG file containing malicious scripts. When a user exports this file, the embedded arbitrary JavaScript code is executed within their browser context
Notes
Tested version:
Solution
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 go | github.com/siyuan-note/siyuan/kernel | 0.0.0-20260116101155-11115da3d0de |
Aliases
Does your application use this vulnerable software?
During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.