CVE-2026-32940

CVE-2026-32940 affects SiYuan, a personal knowledge management system, in versions 3.6.0 and below. The vulnerability stems from an incomplete blocklist in the SanitizeSVG function, which blocks data:text/html and data:image/svg+xml in href attributes but misses data:text/xml and data:application/xml; both overlooked types can render SVG content with JavaScript execution. Additionally, the unauthenticated /api/icon/getDynamicIcon endpoint processes user-controlled input from the content parameter and inserts it directly into SVG markup using fmt.Sprintf without escaping, serving the response with Content-Type: image/svg+xml. This flaw, published on 2026-03-20, is rated 9.3 on CVSS 3.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N) and maps to CWE-79 (Cross-site Scripting) and CWE-184 (Incomplete List of Disallowed Inputs).

An unauthenticated attacker can exploit this via a click-through cross-site scripting (XSS) attack by crafting a URL to the /api/icon/getDynamicIcon endpoint with malicious content. A victim must navigate directly to the URL or embed it via <object> or <embed> tags, as <img> tag rendering in the frontend does not support interactive links; upon viewing the resulting SVG image, the victim sees an injected link and, upon clicking it, triggers JavaScript execution through the bypassed data MIME types. Successful exploitation enables high confidentiality and integrity impacts, such as session hijacking or data theft, though it requires user interaction and changes the scope.

Advisories and patches confirm the issue was addressed in SiYuan version 3.6.1. Relevant GitHub Security Advisories (GHSA-6865-qjcf-286f and GHSA-4mx9-3c2h-hwhg) detail the flaw, with the fixing commit at https://github.com/siyuan-note/siyuan/commit/d01d561875d4f744e9f6232f1d4831e3642b8696 and the release at https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1; practitioners should upgrade to 3.6.1 or later to mitigate.