SiYuan Note - Cross-Site Scripting

SiYuan Note through version 3.6.1 is vulnerable to unauthenticated reflected Cross-Site Scripting XSS in the /api/icon/getDynamicIcon endpoint due to improper filtering of SVG elements with a namespace prefix such as . By using a namespaced script element, attackers can bypass the SanitizeSVG...

SiYuan vulnerable to reflected XSS via SVG namespace prefix bypass in SanitizeSVG (getDynamicIcon, unauthenticated)

Summary The SanitizeSVG function introduced in v3.6.0 to fix XSS in the unauthenticated /api/icon/getDynamicIcon endpoint can be bypassed by using namespace-prefixed element names such as . The Go HTML5 parser records the element's tag as "x:script" rather than "script", so the tag check passes i...

CVE-2026-34605 SiYuan: Reflected XSS via SVG namespace prefix bypass in SanitizeSVG ( getDynamicIcon, unauthenticated )

SiYuan is a personal knowledge management system. From version 3.6.0 to before version 3.6.2, the SanitizeSVG function introduced in version 3.6.0 to fix XSS in the unauthenticated /api/icon/getDynamicIcon endpoint can be bypassed by using namespace-prefixed element names such as . The Go HTML5...

CVE-2026-34605 SiYuan: Reflected XSS via SVG namespace prefix bypass in SanitizeSVG ( getDynamicIcon, unauthenticated )

SiYuan is a personal knowledge management system. From version 3.6.0 to before version 3.6.2, the SanitizeSVG function introduced in version 3.6.0 to fix XSS in the unauthenticated /api/icon/getDynamicIcon endpoint can be bypassed by using namespace-prefixed element names such as . The Go HTML5...

CVE-2026-34605

SiYuan 3.6.0–3.6.1 suffer a bypass of the SanitizeSVG XSS fix on the unauthenticated /api/icon/getDynamicIcon endpoint. The Go HTML5 parser records namespace-prefixed SVG tags as x:script, allowing the tag to bypass the numeric sprite check; when served as image/svg+xml without a CSP, the browser...

GO-2026-4721 SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183) in github.com/siyuan-note/siyuan

SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon incomplete fix for CVE-2026-29183 in github.com/siyuan-note/siyuan...

SUSE CVE-2026-31807

SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer SanitizeSVG blocks dangerous elements , , and removes on event handlers and javascript: in href attributes. However, it does NOT block SVG animation elements , which can dynamically set attributes to dangero...

CVE-2026-32940 SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183)

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, SanitizeSVG has an incomplete blocklist — it blocks data:text/html and data:image/svg+xml in href attributes but misses data:text/xml and data:application/xml, both of which can render SVG with JavaScript execution. Th...

SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS

SVG Sanitizer Bypass via Element — Unauthenticated XSS Summary SiYuan's SVG sanitizer SanitizeSVG blocks dangerous elements , , and removes on event handlers and javascript: in href attributes. However, it does NOT block SVG animation elements , which can dynamically set attributes to dangerous...

CVE-2026-29183 SiYuan: Unauthenticated reflected SVG XSS in `/api/icon/getDynamicIcon` (`type=8`) enables arbitrary JavaScript execution

SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoint "GET /api/icon/getDynamicIcon" when type=8, attacker-controlled content is embedded into SVG output without escaping. Because the endpoi...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the getDynamicIcon endpoint when attacker-controlled input is embedded into SVG output without proper sanitization. An attacker can execute arbitrary JavaScript in the context of the web application by...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the getDynamicIcon endpoint when attacker-controlled input is embedded into SVG output without proper sanitization. An attacker can execute arbitrary JavaScript in the context of the web application by...

GO-2026-4343 SiYuan has a Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon in github.com/siyuan-note/siyuan/kernel

SiYuan has a Reflected Cross-Site Scripting XSS via /api/icon/getDynamicIcon in github.com/siyuan-note/siyuan/kernel...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the getDynamicIcon function. An attacker can execute arbitrary JavaScript in the user's session context by injecting malicious SVG content into the content parameter, which is rendered without proper XML...

CVE-2026-23847

SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api/icon/getDynamicIcon due to unsanitized SVG input. The endpoint generates SVG images for text icons type=8. The content query parameter is inserted directly into the S...