Plateforme
go
Composant
github.com/siyuan-note/siyuan
Corrigé dans
3.6.2
0.0.1
CVE-2026-32940 describes a critical SVG injection vulnerability in Siyuan Note, a knowledge management application. This bypass circumvents the intended sanitization of SVG content, enabling attackers to inject malicious JavaScript code. The vulnerability affects versions of Siyuan Note prior to 0.0.0-20260313024916-fd6526133bb3 and is addressed in version 3.6.1.
An attacker can exploit this vulnerability by crafting a malicious SVG image embedded within a data:text/xml or data:application/xml URL and sending it to the /api/icon/getDynamicIcon endpoint. Because this endpoint is unauthenticated, no authentication is required to trigger the vulnerability. The injected JavaScript code will then execute within the user's browser context when the SVG is rendered, potentially leading to information disclosure, session hijacking, or even complete account takeover. The impact is particularly severe because Siyuan Note is often used to store sensitive information, making the potential data breach significant. This vulnerability shares similarities with other SVG injection flaws where improper sanitization allows for the execution of arbitrary code.
CVE-2026-32940 was publicly disclosed on 2026-03-17. The vulnerability is considered high probability due to the ease of exploitation and the lack of authentication required. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of widespread exploitation. The vulnerability is related to an incomplete fix for CVE-2026-29183, suggesting that similar vulnerabilities might exist in other parts of the application. Check CISA KEV for updates.
Users of Siyuan Note who rely on the application to store sensitive knowledge and information are at significant risk. This includes individuals, teams, and organizations using Siyuan Note for note-taking, project management, or research purposes. Shared hosting environments where multiple users share the same Siyuan Note instance are particularly vulnerable, as a compromise of one user's account could potentially lead to the compromise of the entire instance.
• linux / server:
journalctl -u siyuan-note -g "data:text/xml"• generic web:
curl -I 'http://<siyuan_server>/api/icon/getDynamicIcon?content=data:text/xml...' | grep Content-Type• generic web:
curl 'http://<siyuan_server>/api/icon/getDynamicIcon?content=data:text/xml...' > /dev/null 2>&1 && echo "Vulnerability potentially present"discovery
disclosure
patch
Statut de l'Exploit
EPSS
0.06% (percentile 18%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-32940 is to immediately upgrade Siyuan Note to version 3.6.1 or later. If upgrading is not immediately feasible due to compatibility issues or downtime concerns, consider implementing a Web Application Firewall (WAF) rule to block requests containing data:text/xml or data:application/xml in the content parameter of the /api/icon/getDynamicIcon endpoint. Additionally, carefully review any third-party plugins or extensions for Siyuan Note, as they may introduce similar vulnerabilities. After upgrading, confirm the fix by attempting to load a known malicious SVG payload via the /api/icon/getDynamicIcon endpoint and verifying that the JavaScript execution is blocked.
Actualice SiYuan a la versión 3.6.1 o superior. Esta versión corrige la vulnerabilidad de Cross-Site Scripting (XSS) al sanear correctamente las entradas SVG y evitar la ejecución de JavaScript no deseado.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-32940 is a critical vulnerability in Siyuan Note that allows attackers to inject malicious JavaScript code via a bypass in the SanitizeSVG function, affecting versions prior to 3.6.1.
You are affected if you are using Siyuan Note versions prior to 3.6.1. Check your version and upgrade immediately.
Upgrade Siyuan Note to version 3.6.1 or later. As a temporary workaround, implement a WAF rule to block requests containing data:text/xml.
While no active exploitation has been confirmed, the vulnerability is considered high probability and PoCs are likely to emerge, increasing the risk.
Refer to the official Siyuan Note security advisory for details and updates: [https://github.com/siyuan-note/siyuan/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory URL)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier go.mod et nous te dirons instantanément si tu es affecté.