2 matches found
CVE-2026-31809 SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS
SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer SanitizeSVG checks href attributes for the javascript: prefix using strings.HasPrefix. However, inserting ASCII tab , newline , or carriage return characters inside the javascript: string bypasses this prefi...
CVE-2026-31809
creationtimestamp| type| source ---|---|--- 2026-03-09 08:40:48+00:00| published-proof-of-concept| https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pmc9-f5qr-2pcr...