Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session.
Details
The application allows authenticated users to upload files, including .svg images, without sanitizing the input to remove embedded JavaScript code (such as <script> tags or event handlers).
PoC
- Create a new "Daily note" in the workspace.

2. Create a file named test.svg with malicious JavaScript inside:
<svg xmlns="http://www.w3.org/2000/svg" width="200" height="200" viewBox="0 0 124 124" fill="none">
<rect width="124" height="124" rx="24" fill="red"/>
<script type="text/javascript">
alert(window.origin);
</script>
</svg>
- Upload a file in current daily note:

4. Open the file:
- Right-click the uploaded asset in the note.
- Select "Export"

5. The JavaScript code executes immediately.
Impact
The vulnerability allows to upload an SVG file containing malicious scripts. When a user exports this file, the embedded arbitrary JavaScript code is executed within their browser context
Notes
Tested version:

Solution
#16844
Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session.
Details
The application allows authenticated users to upload files, including .svg images, without sanitizing the input to remove embedded JavaScript code (such as <script> tags or event handlers).
PoC
Impact
The vulnerability allows to upload an SVG file containing malicious scripts. When a user exports this file, the embedded arbitrary JavaScript code is executed within their browser context
Notes
Tested version:

Solution
#16844