Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-31807 PoC — SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS

Source
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-31807.yaml
Associated Vulnerability
Title:SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS (CVE-2026-31807)
Description:SiYuan is a personal knowledge management system. Prior to 3.5.10, SiYuan's SVG sanitizer (SanitizeSVG) blocks dangerous elements (<script>, <iframe>, <foreignobject>) and removes on* event handlers and javascript: in href attributes. However, it does NOT block SVG animation elements (<animate>, <set>) which can dynamically set attributes to dangerous values at runtime, bypassing the static sanitization. This allows an attacker to inject executable JavaScript into the unauthenticated /api/icon/getDynamicIcon endpoint (type=8), creating a reflected XSS. This is a bypass of the fix for CVE-2026-29183 (fixed in v3.5.9). This vulnerability is fixed in v3.5.10.
Description
SiYuan <= v3.5.9 contains a reflected XSS caused by insufficient SVG sanitization allowing SVG animation elements to inject executable JavaScript in /api/icon/getDynamicIcon endpoint, letting unauthenticated attackers execute scripts.
File Snapshot

 id: CVE-2026-31807

info:
  name: SiYuan <= v3.5.9 - SVG Animate Element XSS
  author: 0x_Akoko
  se

...
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →