GO-2026-4721 SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183) in github.com/siyuan-note/siyuan

SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon incomplete fix for CVE-2026-29183 in github.com/siyuan-note/siyuan...

CVE-2026-32940 SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183)

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, SanitizeSVG has an incomplete blocklist — it blocks data:text/html and data:image/svg+xml in href attributes but misses data:text/xml and data:application/xml, both of which can render SVG with JavaScript execution. Th...

CVE-2026-32940 SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183)

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, SanitizeSVG has an incomplete blocklist — it blocks data:text/html and data:image/svg+xml in href attributes but misses data:text/xml and data:application/xml, both of which can render SVG with JavaScript execution. Th...

CVE-2026-32940 SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183)

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, SanitizeSVG has an incomplete blocklist — it blocks data:text/html and data:image/svg+xml in href attributes but misses data:text/xml and data:application/xml, both of which can render SVG with JavaScript execution. Th...

GHSA-4MX9-3C2H-HWHG SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183)

SanitizeSVG bypass via data:text/xml in getDynamicIcon incomplete fix for CVE-2026-29183 SanitizeSVG blocks data:text/html and data:image/svg+xml in href attributes but misses data:text/xml and data:application/xml. Both render SVG with onload JavaScript execution confirmed in Chromium 136, other...

[SECURITY] Fedora 40 Update: jaxb-stax-ex-2.1.0-8.fc40

This project contains a few extensions to complement JSR-173 StAX API in the following areas: - Enable parser instance reuse which is important in the high-performance environment like Eclipse Implementation of JAXB and Eclipse Metro - Improve the support for reading from non-text XML infoset, su...

CVE-2021-39267

Persistent cross-site scripting XSS in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via a Content-Type Filter bypass to upload malicious files. This occurs because text/html is blocked, but other types that allow JavaScript execution such...

CVE-2020-13965

An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview...

CVE-2020-13965

An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview. Recent assessments: Assessed Attacker Value: 0 Assessed Attacker Value: 0Assessed Attacker Value: 0...

CVE-2018-12256

admin/vqmods.app/vqmods.inc.php in LiteCart before 2.1.3 allows remote authenticated attackers to upload a malicious file resulting in remote code execution by using the text/xml or application/xml Content-Type in a publichtml/admin/?app=vqmods&doc=vqmods request...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in Open-Xchange AppSuite before 7.2.2 allow remote authenticated users to inject arbitrary web script or HTML via 1 content with the text/xml MIME type or 2 the Status comment field of an appointment...

Apache Tomcat (webdav) Remote File Disclosure Exploit

Exploit for multiple platform in category remote exploits ===================================================== Apache Tomcat webdav Remote File Disclosure Exploit ===================================================== !/usr/bin/perl Apache Tomcat Remote File Disclosure Zeroday Xploit kcdarookie a...