CVE-2026-32940 Overview
CVE-2026-32940 is a Cross-Site Scripting (XSS) vulnerability affecting SiYuan, a personal knowledge management system developed by B3log. The vulnerability exists in the SanitizeSVG function which implements an incomplete blocklist for data URI schemes in href attributes. While the blocklist properly blocks data:text/html and data:image/svg+xml, it fails to filter data:text/xml and data:application/xml MIME types, both of which can render SVG content with JavaScript execution capabilities.
The unauthenticated /api/icon/getDynamicIcon endpoint directly serves user-controlled input via the content parameter into SVG markup using fmt.Sprintf with no escaping, served with Content-Type: image/svg+xml. This creates a click-through XSS attack vector where victims navigating to a crafted URL see an SVG with an injected link, and clicking it triggers JavaScript execution via the bypassed MIME types.
Critical Impact
Attackers can achieve JavaScript execution in victims' browsers through crafted URLs targeting the unauthenticated getDynamicIcon endpoint, potentially leading to session hijacking, credential theft, or other client-side attacks.
Affected Products
- B3log SiYuan versions 3.6.0 and below
- SiYuan instances with exposed /api/icon/getDynamicIcon endpoint
- Deployments allowing direct navigation or <object>/<embed> embedding of SVG content
Discovery Timeline
- 2026-03-20 - CVE CVE-2026-32940 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-32940
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw stems from an incomplete allowlist/blocklist approach in the SVG sanitization logic. The SanitizeSVG function was designed to prevent malicious content injection by blocking specific data URI schemes in href attributes, but the implementation failed to account for alternative MIME types that can also execute scripts when rendered as SVG.
The attack vector requires user interaction—specifically, clicking on a maliciously crafted link within the rendered SVG. The vulnerability cannot be exploited through <img> tag rendering in the frontend since image tags don't allow interactive links. However, direct navigation to the endpoint or embedding via <object> or <embed> tags enables the attack.
Root Cause
The root cause is an incomplete blocklist implementation in the SVG sanitization function. The original code only checked for data:text/html, data:image/svg+xml, and data:application/xhtml+xml MIME types, missing data:text/xml and data:application/xml which can both render SVG content with embedded JavaScript. Additionally, the /api/icon/getDynamicIcon endpoint accepts unauthenticated requests and passes user input directly into SVG markup without proper escaping using fmt.Sprintf.
Attack Vector
The attack requires network access to the vulnerable SiYuan instance. An attacker constructs a malicious URL targeting the /api/icon/getDynamicIcon endpoint with a crafted content parameter containing an SVG link using a bypassed MIME type (such as data:text/xml or data:application/xml) that includes JavaScript. When a victim navigates to this URL and clicks the injected link, the JavaScript executes in their browser context.
// Security patch in kernel/util/misc.go - Transition from blocklist to allowlist approach
// Source: https://github.com/siyuan-note/siyuan/commit/d01d561875d4f744e9f6232f1d4831e3642b8696
if strings.HasPrefix(val, "javascript:") {
continue
}
- // 对 data: 做保守处理,删除包含可执行内容的 data:text/html 或 data:image/svg+xml
+ // 对 data: 做保守处理,只允许常见安全的图片格式(png/jpeg/gif/webp)
if strings.HasPrefix(val, "data:") {
- if strings.Contains(val, "text/html") || strings.Contains(val, "image/svg+xml") || strings.Contains(val, "application/xhtml+xml") {
+ safe := strings.HasPrefix(val, "data:image/png") ||
+ strings.HasPrefix(val, "data:image/jpeg") ||
+ strings.HasPrefix(val, "data:image/gif") ||
+ strings.HasPrefix(val, "data:image/webp")
+ if !safe {
continue
}
}
The patch transitions from an incomplete blocklist approach to a conservative allowlist, permitting only known-safe image formats (data:image/png, data:image/jpeg, data:image/gif, data:image/webp) in data URIs.
Detection Methods for CVE-2026-32940
Indicators of Compromise
- HTTP requests to /api/icon/getDynamicIcon endpoint with suspicious content parameters containing data:text/xml or data:application/xml payloads
- SVG content served from the application containing unexpected href attributes with data URI schemes
- Browser console errors or security warnings related to inline script execution from SVG content
- Unusual outbound connections or cookie exfiltration attempts following user access to SVG resources
Detection Strategies
- Monitor web server logs for requests to /api/icon/getDynamicIcon containing encoded JavaScript or data URI payloads
- Implement Web Application Firewall (WAF) rules to detect and block requests containing data:text/xml or data:application/xml in query parameters
- Deploy Content Security Policy (CSP) headers to restrict inline script execution and mitigate XSS impact
- Use browser-based XSS detection tools during security testing to identify reflected content in SVG responses
Monitoring Recommendations
- Enable detailed access logging for the /api/icon/ endpoint family to capture full request parameters
- Set up alerting for anomalous patterns in getDynamicIcon requests, particularly those with large or encoded content parameters
- Monitor for CSP violation reports that may indicate attempted XSS exploitation
- Review application logs for patterns consistent with automated vulnerability scanning targeting this endpoint
How to Mitigate CVE-2026-32940
Immediate Actions Required
- Upgrade SiYuan to version 3.6.1 or later immediately to apply the security patch
- If immediate upgrade is not possible, restrict access to the /api/icon/getDynamicIcon endpoint at the network or reverse proxy level
- Implement Content Security Policy headers to provide defense-in-depth against XSS attacks
- Review access logs for evidence of exploitation attempts against the vulnerable endpoint
Patch Information
The vulnerability has been fixed in SiYuan version 3.6.1. The patch modifies the SVG sanitization logic in kernel/util/misc.go to use a conservative allowlist approach instead of the vulnerable blocklist. Only known-safe image MIME types (image/png, image/jpeg, image/gif, image/webp) are now permitted in data URIs within href attributes. Users should upgrade to version 3.6.1 or later by following the official release instructions. The specific commit addressing this vulnerability is available in the GitHub repository.
Workarounds
- Block or restrict access to the /api/icon/getDynamicIcon endpoint using reverse proxy rules or firewall configurations until patching is complete
- Implement strict Content Security Policy headers with script-src 'self' to prevent inline JavaScript execution
- Place SiYuan instances behind authentication layers to prevent unauthenticated access to API endpoints
- Use network segmentation to limit exposure of SiYuan instances to trusted users only
# Example nginx configuration to block vulnerable endpoint
location /api/icon/getDynamicIcon {
# Block access to vulnerable endpoint until patch is applied
deny all;
return 403;
}
# Alternative: Implement CSP headers as defense-in-depth
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
