Suse
CVE-2026-32940
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, SanitizeSVG has an incomplete blocklist - it blocks data:text/html and data:image/svg+xml in href attributes but misses data:text/xml and data:application/xml, both of which can render SVG with JavaScript execution. The unauthenticated /api/icon/getDynamicIcon endpoint serves user-controlled input (via the content parameter) directly into SVG markup using fmt.Sprintf with no escaping, served as Content-Type: image/svg+xml. This creates a click-through XSS: a victim navigates to a crafted URL, sees an SVG with an injected link, and clicking it triggers JavaScript via the bypassed MIME types. The attack requires direct navigation to the endpoint or <object>/<embed> embedding, since <img> tag rendering in the frontend doesn't allow interactive links. This issue has been fixed in version 3.6.1.
AnalysisAI
SiYuan personal knowledge management system contains a cross-site scripting (XSS) vulnerability in versions 3.6.0 and below. An unauthenticated attacker can exploit the /api/icon/getDynamicIcon endpoint by crafting a malicious URL that bypasses SVG sanitization filters, allowing arbitrary JavaScript execution when a victim clicks an injected link within the rendered SVG. The CVSS score of 9.3 indicates critical severity, though exploitation requires user interaction (clicking a malicious link) and the attack complexity is low.
Technical ContextAI
The vulnerability stems from an incomplete blocklist in the SanitizeSVG function (CWE-79: Improper Neutralization of Input During Web Page Generation). The sanitizer blocks data:text/html and data:image/svg+xml MIME types in href attributes but fails to filter data:text/xml and data:application/xml, both of which browsers can interpret as SVG with JavaScript execution capabilities. The /api/icon/getDynamicIcon endpoint uses fmt.Sprintf to inject user-controlled input from the content parameter directly into SVG markup without escaping, then serves it with Content-Type: image/svg+xml. This creates a click-through XSS attack vector where interactive SVG elements can trigger JavaScript, though the attack surface is limited since standard img tag rendering doesn't allow interactive links—attackers must either direct victims to the endpoint URL or embed it via object or embed tags.
RemediationAI
Upgrade SiYuan to version 3.6.1 or later, which contains the security fix as documented in the release notes at https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1 and implemented in commit d01d561875d4f744e9f6232f1d4831e3642b8696. Until patching is completed, restrict network access to the /api/icon/getDynamicIcon endpoint using web application firewall rules or reverse proxy access controls to prevent untrusted users from accessing this API. Implement Content-Security-Policy headers with strict script-src directives to mitigate JavaScript execution from inline SVG sources. For internet-facing instances, consider requiring authentication for all API endpoints as an additional defense-in-depth measure.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
SUSE
Severity: Critical| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-4mx9-3c2h-hwhg