CVE-2026-34605

SiYuan is a personal knowledge management system. From version 3.6.0 to before version 3.6.2, the SanitizeSVG function introduced in version 3.6.0 to fix XSS in the unauthenticated /api/icon/getDynamicIcon endpoint can be bypassed by using namespace-prefixed element names such as . The Go HTML5...

GHSA-73G7-86QR-JRG3 SiYuan vulnerable to reflected XSS via SVG namespace prefix bypass in SanitizeSVG (getDynamicIcon, unauthenticated)

Summary The SanitizeSVG function introduced in v3.6.0 to fix XSS in the unauthenticated /api/icon/getDynamicIcon endpoint can be bypassed by using namespace-prefixed element names such as . The Go HTML5 parser records the element's tag as "x:script" rather than "script", so the tag check passes i...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the getDynamicIcon process. An attacker can execute arbitrary JavaScript in the context of the application by injecting namespace-prefixed SVG elements into the content parameter, which are not properly...

SUSE CVE-2026-29183

SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoint "GET /api/icon/getDynamicIcon" when type=8, attacker-controlled content is embedded into SVG output without escaping. Because the endpoi...

CVE-2026-32940 SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183)

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, SanitizeSVG has an incomplete blocklist — it blocks data:text/html and data:image/svg+xml in href attributes but misses data:text/xml and data:application/xml, both of which can render SVG with JavaScript execution. Th...

CVE-2026-32940 SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183)

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, SanitizeSVG has an incomplete blocklist — it blocks data:text/html and data:image/svg+xml in href attributes but misses data:text/xml and data:application/xml, both of which can render SVG with JavaScript execution. Th...

CVE-2026-32940

SiYuan Note's CVE-2026-32940 affects versions 3.6.0 and below where SanitizeSVG's blocklist is incomplete, allowing a click-through XSS via the unauthenticated /api/icon/getDynamicIcon endpoint. The endpoint echoes user-controlled input (content) directly into SVG markup using fmt.Sprintf with no...

SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183)

SanitizeSVG bypass via data:text/xml in getDynamicIcon incomplete fix for CVE-2026-29183 SanitizeSVG blocks data:text/html and data:image/svg+xml in href attributes but misses data:text/xml and data:application/xml. Both render SVG with onload JavaScript execution confirmed in Chromium 136, other...

GHSA-4MX9-3C2H-HWHG SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183)

SanitizeSVG bypass via data:text/xml in getDynamicIcon incomplete fix for CVE-2026-29183 SanitizeSVG blocks data:text/html and data:image/svg+xml in href attributes but misses data:text/xml and data:application/xml. Both render SVG with onload JavaScript execution confirmed in Chromium 136, other...

CVE-2026-31809 SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS

SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer SanitizeSVG checks href attributes for the javascript: prefix using strings.HasPrefix. However, inserting ASCII tab , newline , or carriage return characters inside the javascript: string bypasses this prefi...

CVE-2026-31807

SiYuan: CVE-2026-31807 is a real issue in SVG sanitization prior to v3.5.10. The SVG sanitizer fails to block animation elements (e.g., /) in /api/icon/getDynamicIcon (type=8), allowing injection of JavaScript and a reflected XSS. Nuclei templates detail the exact vector: unauthenticated access t...

GO-2026-4596 SiYuan: Unauthenticated Reflected XSS via SVG Injection in /api/icon/getDynamicIcon Endpoint in github.com/siyuan-note/siyuan/kernel

SiYuan: Unauthenticated Reflected XSS via SVG Injection in /api/icon/getDynamicIcon Endpoint in github.com/siyuan-note/siyuan/kernel...

CVE-2026-29183

SiYuan Note/CMS exposes an unauthenticated reflected XSS via GET /api/icon/getDynamicIcon with type=8, where attacker-controlled content is inserted into SVG output without escaping. Prior to 3.5.9, this allowed injection of executable JavaScript in the SiYuan web origin, potentially enabling act...

CVE-2026-23847

SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api/icon/getDynamicIcon due to unsanitized SVG input. The endpoint generates SVG images for text icons type=8. The content query parameter is inserted directly into the S...