Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.4
SiYuan Personal Knowledge Management System - Unauthenticated XSS via SVG Animation
CVE-2026-31807
GHSA-5hc8-qmg8-pw27
Summary
SiYuan's security feature to block malicious code was bypassed, allowing an attacker to inject malicious JavaScript into a public endpoint. This could be used to steal sensitive information or take control of the system. Update to version 3.5.10 to fix this issue.
What to do
- Update github.com siyuan-note to version 0.0.0-20260310025236-297bd526708f.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | siyuan-note | <= 0.0.0-20260310025236-297bd526708f | 0.0.0-20260310025236-297bd526708f |
| b3log | siyuan | <= 3.5.10 | – |
Original title
SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) blocks dangerous elements (<script>, <iframe>, <foreignobject>) and removes on* event handler...
Original description
SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) blocks dangerous elements (<script>, <iframe>, <foreignobject>) and removes on* event handlers and javascript: in href attributes. However, it does NOT block SVG animation elements (<animate>, <set>) which can dynamically set attributes to dangerous values at runtime, bypassing the static sanitization. This allows an attacker to inject executable JavaScript into the unauthenticated /api/icon/getDynamicIcon endpoint (type=8), creating a reflected XSS. This is a bypass of the fix for CVE-2026-29183 (fixed in v3.5.9). This vulnerability is fixed in v3.5.10.
nvd CVSS4.0
6.4
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026