Platform
go
Component
github.com/siyuan-note/siyuan/kernel
Fixed in
3.6.1
0.0.0-20260330031106-f09953afc57a
CVE-2026-34605 describes a cross-site scripting (XSS) vulnerability within the Siyuan Kernel, specifically impacting versions before 0.0.0-20260330031106-f09953afc57a. This flaw arises from a bypass in the SanitizeSVG function, which was initially introduced to address a previous XSS issue. The vulnerability allows attackers to inject malicious scripts into SVG icons, potentially leading to unauthorized actions or data theft.
An attacker can exploit this vulnerability by crafting a malicious SVG icon with a namespace-prefixed element (e.g., <x:script xmlns:x="http://www.w3.org/2000/svg">). Because the HTML5 parser incorrectly records the tag name, the sanitization check fails, and the SVG is served without proper Content Security Policy restrictions. When a user views this SVG, their browser parses the XML, resolves the namespace, and executes the embedded script within the user's browser context. This can lead to session hijacking, defacement of the application, or the theft of sensitive user data. The blast radius is limited to users who interact with the affected SVG icons.
CVE-2026-34605 was publicly disclosed on 2026-04-01. There is no indication of active exploitation or KEV listing at the time of writing. Public proof-of-concept (PoC) code is not currently available, but the vulnerability's nature makes it likely that a PoC will be developed and shared publicly. Monitor security advisories and vulnerability databases for updates.
Exploit Status
EPSS
0.13% (32% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34605 is to immediately upgrade Siyuan Kernel to version 0.0.0-20260330031106-f09953afc57a or later. If upgrading is not immediately feasible, consider implementing a Content Security Policy (CSP) that restricts script execution from external sources. Additionally, carefully review any custom SVG icons used within the application to ensure they do not contain malicious code. After upgrading, verify the fix by attempting to load a crafted SVG icon containing a namespace-prefixed script tag; the browser should not execute the script.
Update SiYuan to version 3.6.2 or later. This version fixes the reflected XSS vulnerability in the SanitizeSVG function.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34605 is a cross-site scripting (XSS) vulnerability in Siyuan Kernel where namespace-prefixed SVG elements bypass sanitization, allowing script execution.
You are affected if you are using Siyuan Kernel versions prior to 0.0.0-20260330031106-f09953afc57a. Upgrade to the latest version to mitigate the risk.
Upgrade Siyuan Kernel to version 0.0.0-20260330031106-f09953afc57a or later. Consider implementing a Content Security Policy (CSP) as an additional precaution.
There is currently no indication of active exploitation, but the vulnerability's nature suggests it could be exploited in the future.
Refer to the Siyuan project's official security advisories and release notes for details on this vulnerability and the corresponding fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.