Security Advisory

CVE-2026-31807

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-03-10 20:56:57
Last updated 2026-03-11 16:00:25
Assigner GitHub_M
State PUBLISHED

Description

SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuans SVG sanitizer (SanitizeSVG) blocks dangerous elements (<script>, <iframe>, <foreignobject>) and removes on* event handlers and javascript: in href attributes. However, it does NOT block SVG animation elements (<animate>, <set>) which can dynamically set attributes to dangerous values at runtime, bypassing the static sanitization. This allows an attacker to inject executable JavaScript into the unauthenticated /api/icon/getDynamicIcon endpoint (type=8), creating a reflected XSS. This is a bypass of the fix for CVE-2026-29183 (fixed in v3.5.9). This vulnerability is fixed in v3.5.10.