VYPR
Moderate severityNVD Advisory· Published Mar 10, 2026· Updated Mar 11, 2026

SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS

CVE-2026-31807

Description

SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) blocks dangerous elements (, , ) and removes on* event handlers and javascript: in href attributes. However, it does NOT block SVG animation elements (, ) which can dynamically set attributes to dangerous values at runtime, bypassing the static sanitization. This allows an attacker to inject executable JavaScript into the unauthenticated /api/icon/getDynamicIcon endpoint (type=8), creating a reflected XSS. This is a bypass of the fix for CVE-2026-29183 (fixed in v3.5.9). This vulnerability is fixed in v3.5.10.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/siyuan-note/siyuan/kernelGo
< 0.0.0-20260310025236-297bd526708f0.0.0-20260310025236-297bd526708f

Affected products

3

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.