SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS
Description
SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) blocks dangerous elements (<script>, <iframe>, <foreignobject>) and removes on* event handlers and javascript: in href attributes. However, it does NOT block SVG animation elements (<animate>, <set>) which can dynamically set attributes to dangerous values at runtime, bypassing the static sanitization. This allows an attacker to inject executable JavaScript into the unauthenticated /api/icon/getDynamicIcon endpoint (type=8), creating a reflected XSS. This is a bypass of the fix for CVE-2026-29183 (fixed in v3.5.9). This vulnerability is fixed in v3.5.10.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/siyuan-note/siyuan/kernelGo | < 0.0.0-20260310025236-297bd526708f | 0.0.0-20260310025236-297bd526708f |
Affected products
1- Range: < 3.5.10
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-5hc8-qmg8-pw27ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-31807ghsaADVISORY
- github.com/siyuan-note/siyuan/releases/tag/v3.5.10ghsaWEB
- github.com/siyuan-note/siyuan/security/advisories/GHSA-5hc8-qmg8-pw27ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.