Reflected XSS Vulnerability in SiYuan Personal Knowledge Management System
CVE-2026-31809

6.4MEDIUM

Key Information:

Vendor: Siyuan-note
Status: Siyuan
Vendor: CVE Published:; 10 March 2026

🔔 Create Siyuan-note Vulnerability Alert

What is CVE-2026-31809?

The SiYuan personal knowledge management system has a vulnerability in its SVG sanitizer prior to version 3.5.10. This flaw permits attackers to circumvent href attribute checks against the 'javascript:' prefix by inserting ASCII control characters, such as tabs and newlines. Although browsers strip these characters according to the WHATWG URL specification, the JavaScript payload is successfully executed. This results in a reflected XSS vulnerability, allowing attackers to inject executable JavaScript code into the unauthenticated /api/icon/getDynamicIcon endpoint. Additionally, this vulnerability is a second bypass of the fix for a previously addressed issue (CVE-2026-29183), with associated risk mitigated in the latest version.

Affected Version(s)

siyuan < 3.5.10

References

https://github.com/siyuan-note/siyuan/security/advisories...

x_refsource_CONFIRM

CVSS V4

Score:

6.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 10, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31809 Data

JSON