Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.4
SiYuan: Unauthenticated JavaScript Injection via SVG Sanitizer Bypass
CVE-2026-31809
GHSA-pmc9-f5qr-2pcr
Summary
A vulnerability in SiYuan's SVG sanitizer allows attackers to inject malicious JavaScript code into the system, potentially allowing them to execute unauthorized actions. This could happen when a user interacts with the /api/icon/getDynamicIcon endpoint. The issue has been fixed in version 3.5.10, so update to this version to protect your system.
What to do
- Update github.com siyuan-note to version 0.0.0-20260310025236-297bd526708f.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | siyuan-note | <= 0.0.0-20260310025236-297bd526708f | 0.0.0-20260310025236-297bd526708f |
| b3log | siyuan | <= 3.5.10 | – |
Original title
SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) checks href attributes for the javascript: prefix using strings.HasPrefix(). However, inserti...
Original description
SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) checks href attributes for the javascript: prefix using strings.HasPrefix(). However, inserting ASCII tab (	), newline ( ), or carriage return ( ) characters inside the javascript: string bypasses this prefix check. Browsers strip these characters per the WHATWG URL specification before parsing the URL scheme, so the JavaScript still executes. This allows an attacker to inject executable JavaScript into the unauthenticated /api/icon/getDynamicIcon endpoint, creating a reflected XSS. This is a second bypass of the fix for CVE-2026-29183 (fixed in v3.5.9). This vulnerability is fixed in 3.5.10.
nvd CVSS4.0
6.4
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026