x/vulndb: potential Go vuln in github.com/siyuan-note/siyuan/kernel: GHSA-pcjq-j3mq-jv5j #4324
Description
Advisory GHSA-pcjq-j3mq-jv5j references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/siyuan-note/siyuan/kernel |
Description:
Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session.
Details
The application allows authenticated users to upload files, including .svg images, without sanitizing the input to remove embedded JavaScript code (such as <script> tags or event handlers).
PoC
- Create a new "Daily note" in the workspace.
<img width="1287" height=...
References:
- ADVISORY: GHSA-pcjq-j3mq-jv5j
- ADVISORY: GHSA-pcjq-j3mq-jv5j
- FIX: siyuan-note/siyuan@11115da
- REPORT: Do not execute scripts in assets SVG by default to prevent XSS siyuan-note/siyuan#16844
Cross references:
- github.com/siyuan-note/siyuan/kernel appears in 7 other report(s):
- data/reports/GO-2024-3323.yaml (x/vulndb: potential Go vuln in github.com/siyuan-note/siyuan/kernel: GHSA-25w9-wqfq-gwqx #3323)
- data/reports/GO-2024-3324.yaml (x/vulndb: potential Go vuln in github.com/siyuan-note/siyuan/kernel: GHSA-4pjc-pwgq-q9jp #3324)
- data/reports/GO-2024-3326.yaml (x/vulndb: potential Go vuln in github.com/siyuan-note/siyuan/kernel: GHSA-fqj6-whhx-47p7 #3326)
- data/reports/GO-2024-3327.yaml (x/vulndb: potential Go vuln in github.com/siyuan-note/siyuan/kernel: GHSA-xx68-37v4-4596 #3327)
- data/reports/GO-2025-3362.yaml (x/vulndb: potential Go vuln in github.com/siyuan-note/siyuan/kernel: GHSA-8fx8-pffw-w498 #3362)
- data/reports/GO-2025-4219.yaml (x/vulndb: potential Go vuln in github.com/siyuan-note/siyuan/kernel: GHSA-4r66-7rcv-x46x #4219)
- data/reports/GO-2025-4221.yaml (x/vulndb: potential Go vuln in github.com/siyuan-note/siyuan/kernel: GHSA-gqfv-g4v7-m366 #4221)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/siyuan-note/siyuan/kernel
versions:
- fixed: 0.0.0-20260116101155-11115da3d0de
summary: |-
SiYuan Has a Stored Cross-Site Scripting (XSS) Vulnerability via Unrestricted
SVG File Upload in github.com/siyuan-note/siyuan/kernel
cves:
- CVE-2026-23645
ghsas:
- GHSA-pcjq-j3mq-jv5j
references:
- advisory: https://github.com/advisories/GHSA-pcjq-j3mq-jv5j
- advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pcjq-j3mq-jv5j
- fix: https://github.com/siyuan-note/siyuan/commit/11115da3d0de950593ee4ce375cf7f9018484388
- report: https://github.com/siyuan-note/siyuan/issues/16844
notes:
- fix: 'github.com/siyuan-note/siyuan/kernel: could not add vulnerable_at: cannot auto-guess when fixed version is 0.0.0 pseudo-version'
source:
id: GHSA-pcjq-j3mq-jv5j
created: 2026-01-16T20:02:11.524836688Z
review_status: UNREVIEWED