CVE-2026-23645 SiYuan Vulnerable to Stored Cross-Site Scripting (XSS) via Unrestricted SVG File Upload

SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting XSS vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file e.g., imported from an...

CVE-2026-23645

Summary: SiYuan Note is vulnerable to a Stored XSS via unrestricted SVG uploads in the kernel/upload path prior to version 3.5.4-dev2. The root cause is that uploaded SVG files are not sanitized, enabling embedded JavaScript to execute in an authenticated user’s session when the file is viewed or...

CVE-2026-23645

SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting XSS vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file e.g., imported from an...

CVE-2026-23645 SiYuan Vulnerable to Stored Cross-Site Scripting (XSS) via Unrestricted SVG File Upload

SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting XSS vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file e.g., imported from an...

MiracleLinux 7 : gstreamer-plugins-bad-free-0.10.23-22.el7 (AXSA:2017-1229:01)

The remote MiracleLinux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2017-1229:01 advisory. GStreamer is a streaming media framework, based on graphs of elements which operate on media data. This package contains plug-ins that aren't tested...

MiracleLinux 4 : rh-mariadb100-mariadb-10.0.20-1.0.1.AXS4 (AXSA:2015-463:01)

The remote MiracleLinux 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2015-463:01 advisory. MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. Security issues fixed with this release:...

MiracleLinux 4 : cups-1.4.2-67.1.0.1.AXS4 (AXSA:2015-156:01)

The remote MiracleLinux 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2015-156:01 advisory. The Common UNIX Printing System provides a portable printing layer for UNIX operating systems. It has been developed by Easy Software Products to...

PT-2026-3304

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.5.4-dev2 Description SiYuan Note does not properly sanitize uploaded SVG files. This allows a user to upload a malicious SVG file, such as one obtained from an untrusted source, which can then execute arbitrary...

CVE-2025-15378 AJS Footnotes <= 1.0 - Unauthenticated Stored Cross-Site Scripting

The AJS Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notelistclass' and 'popupdisplayeffectin' parameters in all versions up to, and including, 1.0 due to missing authorization and nonce verification on settings save, as well as insufficient input...

EUVD-2026-2544

The List Site Contributors plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'alpha' parameter in versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary we...

EUVD-2026-2605

EUVD-2026-2605...

EUVD-2026-2132

Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally...

EUVD-2026-2133

Concurrent execution using shared resource with improper synchronization 'race condition' in Windows Management Services allows an authorized attacker to elevate privileges locally...

EUVD-2026-2199

Protection mechanism failure in Windows Remote Assistance allows an unauthorized attacker to bypass a security feature locally...

CVE-2025-67811

Area9 Rhapsode 1.47.3 allows SQL Injection via multiple API endpoints accessible to authenticated users. Insufficient input validation allows remote attackers to inject arbitrary SQL commands, resulting in unauthorized database access and potential compromise of sensitive data. Fixed in v.1.47.4...

Fedora 42 : wget2 (2026-28b0f7bd35)

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-28b0f7bd35 advisory. New version 2.2.1 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not tested...

CVE-2023-31874

Yank Note YN 3.52.1 allows execution of arbitrary code when a crafted file is opened, e.g., via nodeRequire'childprocess'...

CVE-2023-4864

A vulnerability, which was classified as problematic, was found in SourceCodester Take-Note App 1.0. This affects an unknown part of the file index.php. The manipulation of the argument noteContent with the input leads to cross site scripting. It is possible to initiate the attack remotely. The...

CVE-2018-19620

ShowDoc 2.4.1 allows remote attackers to edit other users' notes by navigating with a modified pageid...

CVE-2019-20151

An XSS issue was discovered in TreasuryXpress 19191105. Due to the lack of filtering and sanitization of user input, malicious JavaScript can be executed by the application's administrators. A malicious payload can be injected within the Multi Approval security component and inserted via the Note...