GHSA-4MX9-3C2H-HWHG: Reflected Cross-Site Scripting via Incomplete SVG Sanitization Bypass in SiYuan
Vulnerability ID: GHSA-4MX9-3C2H-HWHG
CVSS Score: 9.3
Published: 2026-03-17
GHSA-4MX9-3C2H-HWHG represents a critical reflected Cross-Site Scripting (XSS) vulnerability in the SiYuan personal knowledge management system. The flaw stems from an incomplete blocklist in the application's SVG sanitizer, allowing attackers to execute arbitrary JavaScript by embedding malicious data URIs in the unauthenticated dynamic icon generation endpoint.
TL;DR
A bypass in SiYuan's SVG sanitizer allows unauthenticated attackers to achieve reflected XSS by injecting data:text/xml URIs. This can lead to session hijacking, data exfiltration, and potential RCE in desktop deployments.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-79
- Attack Vector: Network
- CVSS Score: 9.3
- Impact: High (Confidentiality & Integrity)
- Exploit Status: PoC Available
- Authentication: None Required
Affected Systems
- SiYuan (Personal Knowledge Management System)
- SiYuan: >= 3.5.9, <= 3.6.0
Mitigation Strategies
- Implement a strict allowlist for data: URIs in SanitizeSVG
- Deploy WAF rules to inspect the content parameter for XML-based data URIs
- Monitor access logs for anomalous requests to /api/icon/getDynamicIcon
Remediation Steps:
- Locate the SanitizeSVG function in kernel/util/misc.go
- Remove the existing strings.Contains blocklist checks for text/html, image/svg+xml, and application/xhtml+xml
- Implement a boolean check verifying the URI starts with safe prefixes like data:image/png, data:image/jpeg, data:image/gif, or data:image/webp
- Compile and deploy the updated application binary
References
Read the full report for GHSA-4MX9-3C2H-HWHG on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)