CVE-2026-34605: CVE-2026-34605: Reflected Cross-Site Scripting via SVG Namespace Bypass in SiYuan

CVE-2026-34605: Reflected Cross-Site Scripting via SVG Namespace Bypass in SiYuan

Vulnerability ID: CVE-2026-34605
CVSS Score: 8.6
Published: 2026-04-01

SiYuan personal knowledge management system versions 3.6.0 through 3.6.1 contain a high-severity Reflected Cross-Site Scripting (XSS) vulnerability. The flaw exists in the SVG sanitization logic within the /api/icon/getDynamicIcon endpoint, where an attacker can bypass tag blocklists using XML namespace prefixes. Successful exploitation allows unauthenticated attackers to execute arbitrary JavaScript in the context of the victim's session.

TL;DR

A flaw in SiYuan's SanitizeSVG function allows attackers to bypass XSS filters using XML namespace prefixes (e.g., <x:script>). This enables unauthenticated remote code execution within the victim's browser context. The issue affects versions 3.6.0 to 3.6.1 and is fixed in 3.6.2.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-79 (Improper Neutralization of Input During Web Page Generation)
• Attack Vector: Network
• CVSS Score: 8.6 (High)
• Impact: High Confidentiality, High Integrity
• Exploit Status: Proof of Concept Available
• KEV Status: Not Listed

Affected Systems

• SiYuan Web Application
• SiYuan Desktop Application (if utilizing the vulnerable endpoint for rendering)
• SiYuan: >= 3.6.0, < 3.6.2 (Fixed in: 3.6.2)

Exploit Details

• Context Research: Proof of Concept demonstrating SVG namespace prefix bypass.

Mitigation Strategies

• Upgrade SiYuan to version 3.6.2 or later.
• Implement Web Application Firewall (WAF) rules blocking xmlns and namespace prefixes in SVG payloads targeting the /api/icon/getDynamicIcon endpoint.
• Enforce a strict Content Security Policy (CSP) restricting script execution on endpoints serving user-controlled SVG data.
• Restrict network access to the management interface and API endpoints using reverse proxy access controls.

Remediation Steps:

1. Verify the current running version of the SiYuan application.
2. Download the version 3.6.2 release from the official repository.
3. Stop the SiYuan service.
4. Apply the update according to the standard deployment procedure.
5. Restart the service and verify normal functionality.
6. Review application logs for historical exploitation attempts targeting /api/icon/getDynamicIcon.

References

• GitHub Security Advisory GHSA-73g7-86qr-jrg3
• SiYuan Release v3.6.2
• SiYuan Issue Tracker #17246
• NVD Record CVE-2026-34605

---

Read the full report for CVE-2026-34605 on our website for more details including interactive diagrams and full exploit analysis.