CVE-2026-31809

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.5.10

Description SiYuan is a personal knowledge management system susceptible to a reflected cross-site scripting (XSS) condition. The SVG sanitizer, SanitizeSVG, inadequately checks href attributes for the 'javascript:' prefix. Specifically, the use of ASCII tab ( ), newline ( ), or carriage return ( ) characters within the 'javascript:' string bypasses the prefix check. This allows for the injection of executable JavaScript code. The vulnerable API endpoint is /api/icon/getDynamicIcon, and the issue stems from insufficient sanitization of input provided to the href attribute. This is a second bypass of a previous fix.

Recommendations Update SiYuan to version 3.5.10 or later.