{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-17T18:36:27.398","vulnerabilities":[{"cve":{"id":"CVE-2026-23645","sourceIdentifier":"security-advisories@github.com","published":"2026-01-16T20:15:49.880","lastModified":"2026-01-30T19:32:11.660","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2."},{"lang":"es","value":"SiYuan es un software de gestión de conocimiento personal de código abierto y autoalojado. Antes de la versión 3.5.4-dev2, existe una vulnerabilidad de cross-site scripting (XSS) almacenado en SiYuan Note. La aplicación no sanitiza los archivos SVG subidos. Si un usuario sube y visualiza un archivo SVG malicioso (por ejemplo, importado de una fuente no confiable), se ejecuta código JavaScript arbitrario en el contexto de su sesión autenticada. Esta vulnerabilidad se ha corregido en la versión 3.5.4-dev2."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*","versionEndExcluding":"3.5.4","matchCriteriaId":"D3F308D6-1396-4488-9382-0EE485C9289C"},{"vulnerable":true,"criteria":"cpe:2.3:a:b3log:siyuan:3.5.4:dev1:*:*:*:*:*:*","matchCriteriaId":"2CB8C612-80B3-4D14-9454-D444D227FA4B"}]}]}],"references":[{"url":"https://github.com/siyuan-note/siyuan/commit/11115da3d0de950593ee4ce375cf7f9018484388","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/siyuan-note/siyuan/issues/16844","source":"security-advisories@github.com","tags":["Issue Tracking","Patch"]},{"url":"https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pcjq-j3mq-jv5j","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory","Patch"]}]}}]}