VDB
CVE-2026-31809
CVE-2026-31809
PUBLISHED
CVSS 6.400000095367432 MEDIUM
SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) checks href attributes for the javascript: prefix using strings.HasPrefix(). However, inserting ASCII tab (	), newline ( ), or carriage return ( ) characters inside the javascript: string bypasses this prefix check. Browsers strip these characters per the WHATWG URL specification before parsing the URL scheme, so the JavaScript still executes. This allows an attacker to inject executable JavaScript into the unauthenticated /api/icon/getDynamicIcon endpoint, creating a reflected XSS. This is a second bypass of the fix for CVE-2026-29183 (fixed in v3.5.9). This vulnerability is fixed in 3.5.10.
EPSS 0.50% · 66.3th percentile
Risk Scores
CVSS v4.0
6.400000095367432
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
EPSS Score
0.50%
66.3th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| siyuan-note | siyuan | < 3.5.10, * |
| b3log | siyuan | 0, 0 |
| github.com | siyuan-note/siyuan/kernel | 0, 0 |
Timeline
- Mar 10, 2026 CVE Published
- Mar 11, 2026 EPSS Score
- Mar 12, 2026 EPSS Score
- Mar 13, 2026 EPSS Score
- Mar 14, 2026 EPSS Score
- Mar 15, 2026 EPSS Score
- Mar 16, 2026 EPSS Score
- Mar 17, 2026 EPSS Score
- Mar 17, 2026 Coalition ESS Score
- Mar 17, 2026 Security Advisory
- Mar 18, 2026 EPSS Score
- Mar 19, 2026 EPSS Score