CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

71 matches found

Vulnrichment•added 2026/03/20 3:33 a.m.•2 views

CVE-2026-32940 SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183)

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, SanitizeSVG has an incomplete blocklist — it blocks data:text/html and data:image/svg+xml in href attributes but misses data:text/xml and data:application/xml, both of which can render SVG with JavaScript execution. Th...

9.3CVSS5.7AI score0.00302EPSS

Exploits1References4

Positive Technologies•added 2026/03/17 12:0 a.m.•4 views

PT-2026-26178

Name of the Vulnerable Software and Affected Versions SiYuan versions 3.6.0 and earlier Description SiYuan, a personal knowledge management system, has an incomplete blocklist in its SanitizeSVG function. The function blocks 'data:text/html' and 'data:image/svg+xml' in 'href' attributes but fails...

9.3CVSS5.9AI score0.00302EPSS

Exploits1References13

EUVD•added 2026/03/10 11:57 p.m.•4 views

EUVD-2026-10896

SiYuan has a SVG Sanitizer Bypass via Whitespace in javascript: URI — Unauthenticated XSS...

6.4CVSS5.8AI score0.00505EPSS

Exploits1References3

EUVD•added 2026/03/10 11:57 p.m.•6 views

EUVD-2026-10897

SiYuan has a SVG Sanitizer Bypass via Whitespace in javascript: URI — Unauthenticated XSS...

6.4CVSS5.8AI score0.00505EPSS

Exploits1References3

Github Security Blog•added 2026/03/10 11:57 p.m.•5 views

SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS

SVG Sanitizer Bypass via Whitespace in javascript: URI — Unauthenticated XSS Summary SiYuan's SVG sanitizer SanitizeSVG checks href attributes for the javascript: prefix using strings.HasPrefix. However, inserting ASCII tab , newline , or carriage return characters inside the javascript: string...

6.4CVSS5.8AI score0.00505EPSS

Exploits1References4Affected Software1

OSV•added 2026/03/10 11:57 p.m.•2 views

GHSA-PMC9-F5QR-2PCR SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS

6.4CVSS5.8AI score0.00505EPSS

Exploits1References4

EUVD•added 2026/03/10 11:49 p.m.•3 views

EUVD-2026-10892

SiYuan has a SVG Sanitizer Bypass via Element — Unauthenticated XSS...

6.4CVSS5.8AI score0.00445EPSS

Exploits1References3

EUVD•added 2026/03/10 11:49 p.m.•2 views

EUVD-2026-10893

SiYuan has a SVG Sanitizer Bypass via Element — Unauthenticated XSS...

6.4CVSS5.8AI score0.00445EPSS

Exploits1References3

Github Security Blog•added 2026/03/10 11:49 p.m.•4 views

SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS

SVG Sanitizer Bypass via Element — Unauthenticated XSS Summary SiYuan's SVG sanitizer SanitizeSVG blocks dangerous elements , , and removes on event handlers and javascript: in href attributes. However, it does NOT block SVG animation elements , which can dynamically set attributes to dangerous...

6.4CVSS5.8AI score0.00445EPSS

Exploits1References4Affected Software1

OSV•added 2026/03/10 11:49 p.m.•1 views

GHSA-5HC8-QMG8-PW27 SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS

6.4CVSS5.9AI score0.00445EPSS

Exploits1References4

NVD•added 2026/03/10 9:16 p.m.•4 views

CVE-2026-31807

SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer SanitizeSVG blocks dangerous elements , , and removes on event handlers and javascript: in href attributes. However, it does NOT block SVG animation elements , which can dynamically set attributes to dangero...

6.4CVSS0.00445EPSS

Exploits1References1

NVD•added 2026/03/10 9:16 p.m.•3 views

CVE-2026-31809

SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer SanitizeSVG checks href attributes for the javascript: prefix using strings.HasPrefix. However, inserting ASCII tab , newline , or carriage return characters inside the javascript: string bypasses this prefi...

6.4CVSS0.00505EPSS

Exploits1References1

ATTACKERKB•added 2026/03/10 8:58 p.m.•3 views

CVE-2026-31809

9.3CVSS5.8AI score0.00625EPSS

Exploits2References2Affected Software1

Vulnrichment•added 2026/03/10 8:58 p.m.•3 views

CVE-2026-31809 SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS

6.4CVSS5.8AI score0.00505EPSS

Exploits1References1

OSV•added 2026/03/10 8:58 p.m.•3 views

CVE-2026-31809 SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS

6.4CVSS5.8AI score0.00505EPSS

Exploits1References3

Vulnrichment•added 2026/03/10 8:56 p.m.•2 views

CVE-2026-31807 SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS

6.4CVSS5.8AI score0.00445EPSS

Exploits1References1

Cvelist•added 2026/03/10 8:56 p.m.•28 views

CVE-2026-31807 SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS

6.4CVSS0.00445EPSS

Exploits1References1

OSV•added 2026/03/10 8:56 p.m.•2 views

CVE-2026-31807 SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS

6.4CVSS5.8AI score0.00445EPSS

Exploits1References3

Positive Technologies•added 2026/03/10 12:0 a.m.•6 views

PT-2026-24462

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.5.10 Description SiYuan is a personal knowledge management system. The SVG sanitizer SanitizeSVG in versions prior to 3.5.10 does not block SVG animation elements , , allowing attackers to dynamically set attributes ...

9.9CVSS7.1AI score0.22162EPSS

Exploits68References134

Positive Technologies•added 2026/03/10 12:0 a.m.•5 views

PT-2026-24464

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.5.10 Description SiYuan is a personal knowledge management system susceptible to a reflected cross-site scripting XSS condition. The SVG sanitizer, SanitizeSVG, inadequately checks href attributes for the 'javascript...

9.9CVSS7AI score0.22162EPSS

Exploits68References135

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by