Lucene search
+L

45 matches found

Snyk
Snyk
added 2026/03/04 9:45 p.m.5 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the getDynamicIcon endpoint when attacker-controlled input is embedded into SVG output without proper sanitization. An attacker can execute arbitrary JavaScript in the context of the web application by...

9.3CVSS7.3AI score0.00625EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/03/04 9:45 p.m.9 views

SiYuan: Unauthenticated Reflected XSS via SVG Injection in /api/icon/getDynamicIcon Endpoint

Summary An unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoint: - GET /api/icon/getDynamicIcon When type=8, attacker-controlled content is embedded into SVG output without escaping. Because the endpoint is unauthenticated and returns image/svg+xml, a crafted URL ca...

9.3CVSS6.1AI score0.00625EPSS
Exploits1References4Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/01/19 7:46 p.m.2 views

CVE-2026-23847

SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api/icon/getDynamicIcon due to unsanitized SVG input. The endpoint generates SVG images for text icons type=8. The content query parameter is inserted directly into the S...

6.1CVSS5AI score0.00263EPSS
Exploits1References4Affected Software1
CNNVD
CNNVD
added 2026/01/19 12:0 a.m.9 views

SiYuan cross-site scripting vulnerabilities

SiYuan is a privacy-oriented personal knowledge management system developed by SiYuan itself. Versions of SiYuan prior to 3.5.4 contained a cross-site scripting vulnerability. This vulnerability stemmed from the /api/icon/getDynamicIcon endpoint’s improper handling of uncleaned SVG inputs, which...

6.1CVSS5.7AI score0.00263EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/01/19 12:0 a.m.3 views

PT-2026-3492

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.5.4 Description SiYuan is a personal knowledge management system susceptible to reflected cross-site scripting. The issue occurs in the /api/icon/getDynamicIcon API endpoint. The endpoint generates SVG images for tex...

6.1CVSS4.3AI score0.00263EPSS
Exploits1References12
Rows per page
Query Builder