XSS in Siyuan-note Siyuan
CVE-2026-34605
SiYuan is a personal knowledge management system. From version 3.6.0 to before version 3.6.2, the SanitizeSVG function introduced in version 3.6.0 to fix XSS in the unauthenticated /api/icon/getDynamicIcon endpoint can be bypassed by using…
Vulnerability class: XSS (Cross-Site Scripting)
EPSS: 0.001 (33.7th percentile) — read the EPSS interpretation.
Affected products
- Siyuan-note Siyuan — versions >= 3.6.0, < 3.6.2
Weakness classification (CWE)
References
- https://github.com/siyuan-note/siyuan/security/advisories/GHSA-73g7-86qr-jrg3 (x_refsource_CONFIRM)
- https://github.com/siyuan-note/siyuan/issues/17246 (x_refsource_MISC)
- https://github.com/siyuan-note/siyuan/releases/tag/v3.6.2 (x_refsource_MISC)