CVE-2026-32940

Name of the Vulnerable Software and Affected Versions SiYuan versions 3.6.0 and earlier

Description SiYuan, a personal knowledge management system, has an incomplete blocklist in its SanitizeSVG function. The function blocks 'data:text/html' and 'data:image/svg+xml' in 'href' attributes but fails to block 'data:text/xml' and 'data:application/xml', both of which can render SVG with JavaScript execution. The unauthenticated API endpoint ''/api/icon/getDynamicIcon'' serves user-controlled input via the content parameter directly into SVG markup using fmt.Sprintf without escaping, served as Content-Type: image/svg+xml. This creates a click-through XSS issue where a victim navigating to a crafted URL sees an SVG with an injected link, and clicking it triggers JavaScript through the bypassed MIME types. The attack requires direct navigation to the endpoint or embedding via the or tags. The vulnerable code resides in kernel/util/misc.go lines 289-293, where the blocklist does not include 'text/xml' and 'application/xml'.