CVE-2026-32940: SiYuan XSS — Critical — Patch Now

Overview

A critical security vulnerability, tracked as CVE-2026-32940, has been discovered in the SiYuan personal knowledge management software. This flaw is a cross-site scripting (XSS) vulnerability that could allow an attacker to execute malicious JavaScript in the context of a victim’s SiYuan session. The issue affects versions 3.6.0 and below and has been addressed in version 3.6.1.

Vulnerability Details

The vulnerability exists due to an incomplete security filter in the software’s SVG sanitization process. While the system correctly blocks certain dangerous data types, it fails to block data:text/xml and data:application/xml. An attacker can exploit this oversight by crafting a malicious link.

The attack targets a specific API endpoint (/api/icon/getDynamicIcon) that generates dynamic SVG icons. This endpoint accepts user-controlled input and inserts it directly into an SVG image without proper sanitization. When a victim visits a specially crafted URL or views a page embedding this malicious SVG, the attacker’s code can execute. This is known as a “click-through” XSS attack, as it typically requires the victim to click a link within the rendered SVG.

Potential Impact

With a CVSS score of 9.3 (CRITICAL), this vulnerability poses a severe risk. Successful exploitation could allow an unauthenticated remote attacker to:

• Steal a user’s session cookies and authentication tokens.
• Perform actions within the SiYuan application as the victim, such as modifying, deleting, or exfiltrating personal knowledge data.
• Redirect the user to malicious websites.

This could lead to a complete compromise of a user’s private notes and data. For organizations using SiYuan, this could result in significant data breaches. You can review past incidents to understand the potential fallout at breach reports.

Remediation and Mitigation

The primary and most effective action is to upgrade SiYuan to version 3.6.1 or later immediately. This version contains the complete fix for the sanitization bypass.

Immediate Actions:

1. Update: All users and administrators of SiYuan must upgrade their installations to version 3.6.1 without delay.
2. Assess Exposure: If immediate updating is not possible, review server logs for any suspicious access to the /api/icon/getDynamicIcon endpoint.
3. Network Controls: As a temporary measure, consider using a web application firewall (WAF) to block requests containing the malicious data:text/xml and data:application/xml patterns targeting the vulnerable endpoint. This is not a substitute for patching.

Staying informed about such critical updates is crucial for maintaining security. For the latest on vulnerabilities and patches, follow security news. There is no workaround for this vulnerability; applying the official patch is the only complete solution.