CVE-2026-34605

Name of the Vulnerable Software and Affected Versions: SiYuan versions 3.6.0 through 3.6.1

Description: SiYuan is a personal knowledge management system. The SanitizeSVG function, introduced in version 3.6.0 to address XSS in the unauthenticated /api/icon/getDynamicIcon endpoint, can be bypassed by utilizing namespace-prefixed element names such as <x:script xmlns:x="http://www.w3.org/2000/svg">. The Go HTML5 parser identifies the element's tag as 'x:script' instead of 'script', allowing it to pass the tag check. The SVG is served with Content-Type: image/svg+xml and without a Content Security Policy. When a browser directly opens the response, its XML parser resolves the prefix to the SVG namespace and executes the embedded script. This allows an attacker on the same network to craft a URL and share it with a victim. When the victim opens it in a browser, JavaScript executes at the SiYuan server origin, potentially allowing access to all notes, data export, or modification of settings, without authentication or prior access.

Recommendations: Update to version 3.6.2 or later.