XSS in Siyuan-note Siyuan
CVE-2026-31809
SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) checks href attributes for the javascript: prefix using strings.HasPrefix(). However, inserting ASCII tab (	), newline ( ), or c…
Vulnerability class: XSS (Cross-Site Scripting)
EPSS: 0.005 (66.4th percentile) — read the EPSS interpretation.
Affected products
- Siyuan-note Siyuan — versions < 3.5.10
Weakness classification (CWE)
References
- https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pmc9-f5qr-2pcr (x_refsource_CONFIRM)