Description
SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) blocks dangerous elements (<script>, <iframe>, <foreignobject>) and removes on* event handlers and javascript: in href attributes. However, it does NOT block SVG animation elements (<animate>, <set>) which can dynamically set attributes to dangerous values at runtime, bypassing the static sanitization. This allows an attacker to inject executable JavaScript into the unauthenticated /api/icon/getDynamicIcon endpoint (type=8), creating a reflected XSS. This is a bypass of the fix for CVE-2026-29183 (fixed in v3.5.9). This vulnerability is fixed in v3.5.10.
Published: 2026-03-10
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Cross‑Site Scripting via SVG sanitization bypass
Action: Immediate Patch
AI Analysis

Impact

SiYuan’s SVG sanitizer leaves animation tags such as <animate> and <set> unfiltered, allowing these elements to inject JavaScript when the SVG is rendered. The flaw is exploitable through an authentication‑free endpoint that returns dynamic icons, so an attacker can supply crafted SVG content and cause arbitrary script execution in a victim’s browser. This type of reflected XSS jeopardizes the confidentiality and integrity of data accessed by the victim while using the application.

Affected Systems

The vulnerability affects the SiYuan personal knowledge‑management application provided by siyuan‑note, with the product name siyuan. Any installation running a version earlier than 3.5.10 is impacted; versions 3.5.9 and older contain the flaw, while 3.5.10 and later include the fix.

Risk and Exploitability

The severity rating of 6.4 indicates moderate risk, and the likelihood of a real‑world attack is low, with an exploit probability score below 1% and no listing in the CISA KEV catalog. Because the vulnerable interface does not require authentication, an attacker merely needs to construct a malicious SVG and submit it to the dynamic icon endpoint to trigger the script execution, making the exploitation straightforward once the bypass condition is recognized.

Generated by OpenCVE AI on April 17, 2026 at 10:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SiYuan application to version 3.5.10 or newer.
  • If an upgrade is not immediately possible, block or rate‑limit access to the dynamic icon endpoint until a patch is applied.
  • Implement a temporary filter that removes <animate> and <set> elements from incoming SVG data before it is processed.

Generated by OpenCVE AI on April 17, 2026 at 10:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5hc8-qmg8-pw27 SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS
History

Wed, 11 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared B3log
B3log siyuan
CPEs cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*
Vendors & Products B3log
B3log siyuan
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Siyuan
Siyuan siyuan
Vendors & Products Siyuan
Siyuan siyuan

Tue, 10 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) blocks dangerous elements (<script>, <iframe>, <foreignobject>) and removes on* event handlers and javascript: in href attributes. However, it does NOT block SVG animation elements (<animate>, <set>) which can dynamically set attributes to dangerous values at runtime, bypassing the static sanitization. This allows an attacker to inject executable JavaScript into the unauthenticated /api/icon/getDynamicIcon endpoint (type=8), creating a reflected XSS. This is a bypass of the fix for CVE-2026-29183 (fixed in v3.5.9). This vulnerability is fixed in v3.5.10.
Title SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 6.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

B3log Siyuan
Siyuan Siyuan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T16:00:25.996Z

Reserved: 2026-03-09T16:33:42.913Z

Link: CVE-2026-31807

cve-icon Vulnrichment

Updated: 2026-03-11T15:53:41.491Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T21:16:50.023

Modified: 2026-03-11T20:16:28.493

Link: CVE-2026-31807

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T10:00:03Z

Weaknesses