NIXPKGS-2026-0622

GitHub issue published on 11 Mar 2026

Permalink CVE-2026-31809

updated 3 days, 23 hours ago by @mweinelt Activity log

Created automatic suggestion 4 days, 8 hours ago
@mweinelt accepted 4 days ago
@mweinelt published on GitHub 3 days, 23 hours ago

SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS

SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) checks href attributes for the javascript: prefix using strings.HasPrefix(). However, inserting ASCII tab (	), newline (
), or carriage return () characters inside the javascript: string bypasses this prefix check. Browsers strip these characters per the WHATWG URL specification before parsing the URL scheme, so the JavaScript still executes. This allows an attacker to inject executable JavaScript into the unauthenticated /api/icon/getDynamicIcon endpoint, creating a reflected XSS. This is a second bypass of the fix for CVE-2026-29183 (fixed in v3.5.9). This vulnerability is fixed in 3.5.10.

References

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pmc9-f5qr-2pcr x_refsource_CONFIRM

Affected products

siyuan

==< 3.5.10

Matching in nixpkgs

pkgs.siyuan

Privacy-first personal knowledge management system that supports complete offline usage, as well as end-to-end encrypted data sync

nixos-unstable 3.5.8
- nixpkgs-unstable 3.5.8
- nixos-unstable-small 3.5.9
nixos-25.11 3.5.4
- nixos-25.11-small 3.5.4
- nixpkgs-25.11-darwin 3.5.4

Package maintainers

@TomaSajt TomaSajt
@L-Trump Luo Chen <ltrump@163.com>

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pmc9-f5qr-2pcr

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0622

References

Affected products

Matching in nixpkgs

pkgs.siyuan

Package maintainers