CVE-2026-34605
Description
SiYuan is a personal knowledge management system. From version 3.6.0 to before version 3.6.2, the SanitizeSVG function introduced in version 3.6.0 to fix XSS in the unauthenticated /api/icon/getDynamicIcon endpoint can be bypassed by using namespace-prefixed element names such as <x:script xmlns:x="http://www.w3.org/2000/svg">. The Go HTML5 parser records the element's tag as "x:script" rather than "script", so the tag check passes it through. The SVG is served with Content-Type: image/svg+xml and no Content Security Policy; when a browser opens the response directly, its XML parser resolves the prefix to the SVG namespace and executes the embedded script. This issue has been patched in version 3.6.2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/siyuan-note/siyuan/kernelGo | < 0.0.0-20260330031106-f09953afc57a | 0.0.0-20260330031106-f09953afc57a |
Affected products
1- Range: v3.6.0, v3.6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/siyuan-note/siyuan/security/advisories/GHSA-73g7-86qr-jrg3nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-73g7-86qr-jrg3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-34605ghsaADVISORY
- github.com/siyuan-note/siyuan/issues/17246nvdIssue TrackingWEB
- github.com/siyuan-note/siyuan/releases/tag/v3.6.2nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.