Home / Vulnerability Intelligence / CVE-2026-32940

CVE-2026-32940 - Vulnerability Analysis

CriticalCVSS: 9.3

Last Updated: March 20, 2026

SiYuan - Stored XSS

Published: March 20, 2026Updated: March 20, 2026Remote Exploitable

Overview

SiYuan <= 3.6.0 contains a stored XSS caused by incomplete SanitizeSVG blocklist missing data:text/xml and data:application/xml in href attributes in /api/icon/getDynamicIcon endpoint, letting unauthenticated attackers execute JavaScript via crafted SVG links, exploit requires victim to navigate or embed the crafted SVG.

Severity & Score

Severity: Critical

CVSS Score: 9.3

Impact

Unauthenticated attackers can execute JavaScript in victim's browser via crafted SVG links, leading to potential session hijacking or other client-side attacks.

Mitigation

Update to version 3.6.1 or later.

References

Related Resources

Details

CVE ID: CVE-2026-32940
Severity: Critical
CVSS Score: 9.3
Type: stored_xss
Status: new

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N