Skip to main content

Suse CVE-2026-32940

CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-03-20 security-advisories@github.com GHSA-4mx9-3c2h-hwhg
9.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
SUSE
CRITICAL
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 20, 2026 - 08:37 vuln.today
CVE Published
Mar 20, 2026 - 04:16 nvd
CRITICAL 9.3

DescriptionGitHub Advisory

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, SanitizeSVG has an incomplete blocklist - it blocks data:text/html and data:image/svg+xml in href attributes but misses data:text/xml and data:application/xml, both of which can render SVG with JavaScript execution. The unauthenticated /api/icon/getDynamicIcon endpoint serves user-controlled input (via the content parameter) directly into SVG markup using fmt.Sprintf with no escaping, served as Content-Type: image/svg+xml. This creates a click-through XSS: a victim navigates to a crafted URL, sees an SVG with an injected link, and clicking it triggers JavaScript via the bypassed MIME types. The attack requires direct navigation to the endpoint or <object>/<embed> embedding, since <img> tag rendering in the frontend doesn't allow interactive links. This issue has been fixed in version 3.6.1.

AnalysisAI

SiYuan personal knowledge management system contains a cross-site scripting (XSS) vulnerability in versions 3.6.0 and below. An unauthenticated attacker can exploit the /api/icon/getDynamicIcon endpoint by crafting a malicious URL that bypasses SVG sanitization filters, allowing arbitrary JavaScript execution when a victim clicks an injected link within the rendered SVG. The CVSS score of 9.3 indicates critical severity, though exploitation requires user interaction (clicking a malicious link) and the attack complexity is low.

Technical ContextAI

The vulnerability stems from an incomplete blocklist in the SanitizeSVG function (CWE-79: Improper Neutralization of Input During Web Page Generation). The sanitizer blocks data:text/html and data:image/svg+xml MIME types in href attributes but fails to filter data:text/xml and data:application/xml, both of which browsers can interpret as SVG with JavaScript execution capabilities. The /api/icon/getDynamicIcon endpoint uses fmt.Sprintf to inject user-controlled input from the content parameter directly into SVG markup without escaping, then serves it with Content-Type: image/svg+xml. This creates a click-through XSS attack vector where interactive SVG elements can trigger JavaScript, though the attack surface is limited since standard img tag rendering doesn't allow interactive links—attackers must either direct victims to the endpoint URL or embed it via object or embed tags.

RemediationAI

Upgrade SiYuan to version 3.6.1 or later, which contains the security fix as documented in the release notes at https://github.com/siyuan-note/siyuan/releases/tag/v3.6.1 and implemented in commit d01d561875d4f744e9f6232f1d4831e3642b8696. Until patching is completed, restrict network access to the /api/icon/getDynamicIcon endpoint using web application firewall rules or reverse proxy access controls to prevent untrusted users from accessing this API. Implement Content-Security-Policy headers with strict script-src directives to mitigate JavaScript execution from inline SVG sources. For internet-facing instances, consider requiring authentication for all API endpoints as an additional defense-in-depth measure.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-32940 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy