CVE-2026-31807

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.5.10

Description SiYuan is a personal knowledge management system. The SVG sanitizer (SanitizeSVG) in versions prior to 3.5.10 does not block SVG animation elements (, ), allowing attackers to dynamically set attributes to dangerous values at runtime, bypassing static sanitization. This enables the injection of executable JavaScript into the unauthenticated /api/icon/getDynamicIcon endpoint (type=8), resulting in a reflected Cross-Site Scripting (XSS) condition. This is a bypass of a previous fix. The vulnerable parameter is type.

Recommendations Update to version 3.5.10 or later.