XSS Vulnerability in SiYuan Personal Knowledge Management System
CVE-2026-34605

8.6HIGH

Key Information:

Vendor

Siyuan-note

Status
Siyuan
Vendor
CVE Published:
31 March 2026

What is CVE-2026-34605?

A vulnerability exists in the SiYuan personal knowledge management system where the SanitizeSVG function, designed to enhance security, can be bypassed. This issue affects versions 3.6.0 through 3.6.1, allowing attackers to execute harmful scripts via namespace-prefixed SVG elements. When a browser processes these elements, it incorrectly handles the script tag, permitting the execution of embedded scripts without proper validation. This flaw can lead to significant security risks, as there is no Content Security Policy to mitigate such calls. The vulnerability has been addressed in version 3.6.2.

Affected Version(s)

siyuan >= 3.6.0, < 3.6.2

References

https://github.com/siyuan-note/siyuan/security/advisories...
x_refsource_CONFIRM
https://github.com/siyuan-note/siyuan/issues/17246
x_refsource_MISC
https://github.com/siyuan-note/siyuan/releases/tag/v3.6.2
x_refsource_MISC

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.