CVE-2026-23645 is a stored Cross-Site Scripting (XSS) vulnerability identified in the SiYuan Note personal knowledge management software, specifically affecting versions prior to 3.5.4-dev2. The vulnerability stems from improper input neutralization during web page generation, classified under CWE-79. SiYuan Note allows users to upload SVG files as part of their notes or knowledge base. However, the application does not sanitize these SVG files, which can contain embedded JavaScript. When a user uploads a malicious SVG file sourced from an untrusted origin and subsequently views it within the application, the embedded JavaScript executes in the context of the authenticated user's session. This execution can lead to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of the user. The vulnerability is remotely exploitable without requiring authentication or privileges, but user interaction is necessary to upload and view the malicious SVG. The CVSS 4.0 base score of 5.3 reflects a medium severity, considering the network attack vector, low complexity, no privileges required, but requiring user interaction. There are no known exploits in the wild at the time of publication. The issue was addressed and fixed in version 3.5.4-dev2 by implementing proper sanitization of SVG content to neutralize potentially harmful scripts. This vulnerability highlights the risks associated with handling SVG files, which can embed active content, and underscores the importance of rigorous input validation and output encoding in web applications.

For European organizations using SiYuan Note, this vulnerability poses a risk to the confidentiality and integrity of user sessions and stored data. Attackers can exploit the flaw to execute arbitrary JavaScript in the context of authenticated users, potentially leading to credential theft, session hijacking, or unauthorized actions within the application. Since SiYuan Note is often used for personal knowledge management, sensitive or proprietary information could be exposed or manipulated. Although the vulnerability does not directly impact system availability, the compromise of user accounts and data integrity can have significant operational and reputational consequences. The impact is heightened in environments where multiple users share access or where SiYuan Note is integrated with other internal systems. European organizations with remote or hybrid workforces that rely on self-hosted knowledge management solutions are particularly at risk if they have not applied the patch. Additionally, the lack of known exploits in the wild suggests a window of opportunity for proactive mitigation before widespread attacks occur.

1. Upgrade SiYuan Note to version 3.5.4-dev2 or later immediately to apply the official fix that sanitizes SVG uploads. 2. Temporarily disable or restrict SVG file uploads if upgrading is not immediately feasible, or implement file type restrictions to allow only safe formats. 3. Employ server-side validation and sanitization of all uploaded files, especially SVGs, to remove or neutralize embedded scripts. 4. Implement Content Security Policies (CSP) that restrict script execution sources to reduce the impact of any injected scripts. 5. Educate users on the risks of uploading files from untrusted sources and encourage cautious handling of shared SVG files. 6. Monitor application logs for unusual upload or viewing activity that could indicate exploitation attempts. 7. Consider deploying web application firewalls (WAF) with rules to detect and block malicious SVG payloads. 8. Conduct regular security assessments and code reviews focusing on input validation and output encoding practices within the application.