CVE-2026-34605
Received Received - Intake
SVG Namespace Bypass Enables XSS in SiYuan

Publication date: 2026-03-31

Last updated on: 2026-04-03

Assigner: GitHub, Inc.

Description
SiYuan is a personal knowledge management system. From version 3.6.0 to before version 3.6.2, the SanitizeSVG function introduced in version 3.6.0 to fix XSS in the unauthenticated /api/icon/getDynamicIcon endpoint can be bypassed by using namespace-prefixed element names such as <x:script xmlns:x="http://www.w3.org/2000/svg">. The Go HTML5 parser records the element's tag as "x:script" rather than "script", so the tag check passes it through. The SVG is served with Content-Type: image/svg+xml and no Content Security Policy; when a browser opens the response directly, its XML parser resolves the prefix to the SVG namespace and executes the embedded script. This issue has been patched in version 3.6.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-03
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34605
EUVD
EUVD-2026-17687
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
b3log siyuan From 3.6.0 (inc) to 3.6.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects SiYuan, a personal knowledge management system, in versions from 3.6.0 to before 3.6.2. The issue lies in the SanitizeSVG function introduced in version 3.6.0 to fix cross-site scripting (XSS) in the unauthenticated /api/icon/getDynamicIcon endpoint. However, attackers can bypass this sanitization by using namespace-prefixed element names like <x:script xmlns:x="http://www.w3.org/2000/svg">. The Go HTML5 parser records the tag as "x:script" instead of "script", allowing the malicious tag to pass through the check. When the SVG is served with Content-Type: image/svg+xml and no Content Security Policy, a browser opening the response directly will resolve the prefix to the SVG namespace and execute the embedded script.

This vulnerability was patched in version 3.6.2.

Impact Analysis

This vulnerability can lead to cross-site scripting (XSS) attacks via the unauthenticated /api/icon/getDynamicIcon endpoint. An attacker can inject malicious scripts that will be executed by a victim's browser when the SVG content is loaded. This can result in unauthorized actions, data theft, session hijacking, or other malicious activities performed in the context of the vulnerable application.

Mitigation Strategies

The vulnerability has been patched in SiYuan version 3.6.2. The immediate step to mitigate this vulnerability is to upgrade SiYuan to version 3.6.2 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34605. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart