CVE-2026-23645 is a stored Cross-Site Scripting (XSS) vulnerability identified in SiYuan Note, an open-source, self-hosted personal knowledge management software. The vulnerability exists in versions prior to 3.5.4-dev2 due to improper sanitization of uploaded SVG files. SVG files can contain embedded JavaScript, and when a malicious SVG is uploaded and subsequently viewed by an authenticated user, the embedded script executes within the user's session context. This allows an attacker to perform arbitrary JavaScript execution, potentially leading to session hijacking, credential theft, or unauthorized actions within the application. The vulnerability does not require any authentication or privileges to exploit, only that a user views the malicious SVG. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:P), and low scope impact (S:C), resulting in a medium severity score of 5.3. While no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to the common use of SVG files and the potential for social engineering to induce users to view malicious content. The issue was addressed in version 3.5.4-dev2 by implementing proper sanitization of SVG uploads to neutralize embedded scripts. Organizations using SiYuan Note should prioritize upgrading to the patched version to eliminate this attack vector.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on SiYuan Note for knowledge management and collaboration. Successful exploitation can lead to session hijacking, unauthorized data access, and potential lateral movement within internal networks. Confidentiality is at risk as attackers can steal sensitive information accessible through the user's session. Integrity may be compromised if attackers perform unauthorized actions or inject malicious content. Availability impact is limited but could occur if attackers disrupt user sessions or application functionality. Given that exploitation requires user interaction (viewing a malicious SVG), the risk is mitigated somewhat but remains notable due to the ease of embedding SVGs in documents and messages. European organizations with decentralized IT environments or those encouraging self-hosted solutions may be more exposed. The medium CVSS score reflects a moderate risk that should not be ignored, especially in sectors handling sensitive or regulated data. Attackers could leverage this vulnerability as an initial foothold or as part of a broader attack chain targeting knowledge management systems.

1. Upgrade SiYuan Note to version 3.5.4-dev2 or later immediately to apply the official fix that sanitizes SVG uploads. 2. Implement strict file upload policies restricting SVG uploads to trusted users or disabling SVG uploads entirely if not required. 3. Employ server-side SVG sanitization tools that remove or neutralize embedded scripts before storage or rendering. 4. Educate users on the risks of opening untrusted SVG files and encourage caution with files from unknown sources. 5. Monitor application logs for unusual upload or viewing activity related to SVG files. 6. Use Content Security Policy (CSP) headers to restrict script execution contexts and reduce the impact of potential XSS attacks. 7. Consider isolating the SiYuan Note environment or running it in a sandboxed container to limit the scope of compromise. 8. Regularly audit and update all self-hosted applications to ensure timely patching of vulnerabilities.