SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS
Description
SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) blocks dangerous elements (, , ) and removes on* event handlers and javascript: in href attributes. However, it does NOT block SVG animation elements (, ) which can dynamically set attributes to dangerous values at runtime, bypassing the static sanitization. This allows an attacker to inject executable JavaScript into the unauthenticated /api/icon/getDynamicIcon endpoint (type=8), creating a reflected XSS. This is a bypass of the fix for CVE-2026-29183 (fixed in v3.5.9). This vulnerability is fixed in v3.5.10.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/siyuan-note/siyuan/kernelGo | < 0.0.0-20260310025236-297bd526708f | 0.0.0-20260310025236-297bd526708f |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/siyuan-note/siyuan/kernelpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 0.0.0-20260310025236-297bd526708f+ 1 more
- (no CPE)range: < 0.0.0-20260310025236-297bd526708f
- (no CPE)range: < 0.0.20260317T205859-150000.1.152.1
- Range: < 3.5.10
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-5hc8-qmg8-pw27ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-31807ghsaADVISORY
- github.com/siyuan-note/siyuan/releases/tag/v3.5.10ghsaWEB
- github.com/siyuan-note/siyuan/security/advisories/GHSA-5hc8-qmg8-pw27ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.