CVE-2026-34605 Scanner

SiYuan Note is a popular note-taking application used by individuals and professionals to organize information, support collaboration, and document key insights across various fields. It is designed to aid users in managing both personal and team notes, making it versatile for a wide array of projects and tasks. The application is valued for its intuitive interface and powerful organization tools, which streamline the process of note-taking and retrieval. Many educational institutions, project managers, and creative professionals rely on SiYuan Note for its robust feature set, enhancing productivity and efficiency. As a widely implemented solution, any discovered vulnerabilities can have significant implications for its diverse user base. The application's ongoing updates and improvements also aim to enhance user experience and security.

Cross-Site Scripting (XSS) is a vulnerability that allows attackers to inject malicious scripts into pages viewed by other users, potentially stealing session tokens or other sensitive information. This form of attack is particularly insidious as it runs code in the context of the victim's browser, exploiting any trust that may exist between the browser and the visited website. In SiYuan Note, the XSS vulnerability arises from inadequate filtering of SVG elements containing namespace prefixes that bypass security functions. This vulnerability can be leveraged by creating specifically crafted links that, when accessed by unsuspecting users, result in arbitrary JavaScript execution in the browser. Addressing such vulnerabilities is crucial to preventing unauthorized access and manipulation of the note-taking application's environment.

The vulnerability in SiYuan Note is exploited through the `/api/icon/getDynamicIcon` endpoint, which improperly processes SVG elements with a namespace prefix. Attackers can bypass the `SanitizeSVG` function by incorporating a namespaced script element, such as ``, allowing for execution of arbitrary JavaScript. This occurs when a user with the necessary privileges opens a crafted link leading to this endpoint, triggering the malfunction. The improper filtering does not strip the namespace, which ordinarily would prevent embedded scripts from executing. By targeting this path, attackers can achieve execution of scripts with full access to the victim's browser context, potentially gaining access to sensitive data or executing unauthorized actions.

Exploiting the XSS vulnerability could have severe consequences. Attackers executing XSS attacks might gain unauthorized access to user sessions, allowing them to perform actions on behalf of the victim. This unauthorized access can lead to data theft, unauthorized modifications, or the illicit use of features provided by SiYuan Note. If the victim is an authenticated user, attackers could extract sensitive information or manipulate existing data, compromising the integrity and confidentiality of all stored notes and related applications. This vulnerability, left unaddressed, poses a substantial risk to the security framework of the note-taking software, potentially facilitating broad spectrum breaches.

REFERENCES

• https://github.com/siyuan-note/siyuan/security/advisories/GHSA-73g7-86qr-jrg3
• https://nvd.nist.gov/vuln/detail/CVE-2026-34605