Reflected XSS Vulnerability in SiYuan Knowledge Management System
CVE-2026-31807

6.4MEDIUM

Key Information:

Vendor: Siyuan-note
Status: Siyuan
Vendor: CVE Published:; 10 March 2026

🔔 Create Siyuan-note Vulnerability Alert

What is CVE-2026-31807?

SiYuan is a personal knowledge management system that, prior to version 3.5.10, had a security flaw in its SVG sanitization process, implemented by the SanitizeSVG utility. This tool effectively blocks certain dangerous elements, such as and , and attempts to sanitize JavaScript event handlers. However, it fails to adequately defend against SVG animation elements like and , which can manipulate attributes dynamically at runtime. An attacker can exploit this oversight to inject malicious JavaScript through the unauthenticated /api/icon/getDynamicIcon endpoint (type=8), leading to a reflected XSS vulnerability. This issue serves as a bypass of security measures intended to resolve CVE-2026-29183, which was addressed in version 3.5.9.

Affected Version(s)

siyuan < 3.5.10

References

https://github.com/siyuan-note/siyuan/security/advisories...

x_refsource_CONFIRM

CVSS V4

Score:

6.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 10, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31807 Data

JSON