NIXPKGS-2026-0025 published on 17 Jan 2026 CVE-2026-23645 updated 5 days, 5 hours ago by @LeSuisse Activity log Created automatic suggestion 5 days, 18 hours ago @LeSuisse accepted as draft 5 days, 5 hours ago @LeSuisse published on GitHub 5 days, 5 hours ago SiYuan Vulnerable to Stored Cross-Site Scripting (XSS) via Unrestricted SVG File Upload SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2. Affected products siyuan ==< 3.5.4-dev2 Matching in nixpkgs pkgs.siyuan Privacy-first personal knowledge management system that supports complete offline usage, as well as end-to-end encrypted data sync nixos-unstable 3.4.0 nixpkgs-unstable 3.4.0 nixos-unstable-small 3.4.0 nixos-25.05 3.1.28 nixos-25.05-small 3.1.28 nixpkgs-25.05-darwin 3.1.28 Package maintainers: 2 @TomaSajt TomaSajt @L-Trump Luo Chen <ltrump@163.com>
CVE-2026-23645 updated 5 days, 5 hours ago by @LeSuisse Activity log Created automatic suggestion 5 days, 18 hours ago @LeSuisse accepted as draft 5 days, 5 hours ago @LeSuisse published on GitHub 5 days, 5 hours ago SiYuan Vulnerable to Stored Cross-Site Scripting (XSS) via Unrestricted SVG File Upload SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2. Affected products siyuan ==< 3.5.4-dev2 Matching in nixpkgs pkgs.siyuan Privacy-first personal knowledge management system that supports complete offline usage, as well as end-to-end encrypted data sync nixos-unstable 3.4.0 nixpkgs-unstable 3.4.0 nixos-unstable-small 3.4.0 nixos-25.05 3.1.28 nixos-25.05-small 3.1.28 nixpkgs-25.05-darwin 3.1.28 Package maintainers: 2 @TomaSajt TomaSajt @L-Trump Luo Chen <ltrump@163.com>
pkgs.siyuan Privacy-first personal knowledge management system that supports complete offline usage, as well as end-to-end encrypted data sync nixos-unstable 3.4.0 nixpkgs-unstable 3.4.0 nixos-unstable-small 3.4.0 nixos-25.05 3.1.28 nixos-25.05-small 3.1.28 nixpkgs-25.05-darwin 3.1.28