Home / Vulnerability Intelligence / CVE-2026-32940

CVE-2026-32940 - Vulnerability Analysis

CriticalCVSS: 9.3

Last Updated: March 20, 2026

SiYuan - Stored XSS

Published: March 20, 2026Updated: March 20, 2026Remote Exploitable

Overview

SiYuan <= 3.6.0 contains a stored XSS caused by incomplete SanitizeSVG blocklist missing data:text/xml and data:application/xml in href attributes in /api/icon/getDynamicIcon endpoint, letting unauthenticated attackers execute JavaScript via crafted SVG links, exploit requires victim to navigate or embed the crafted SVG.

Severity & Score

Severity: Critical

CVSS Score: 9.3

EPSS Score: 4.8%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can execute JavaScript in victim's browser via crafted SVG links, leading to potential session hijacking or other client-side attacks.

Mitigation

Update to version 3.6.1 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 20, 2026

🔴 CVE-2026-32940 - Critical (9.3) SiYuan is a personal knowledge management system. In versions 3.6.0 and below, SanitizeSVG has an incomplete blocklist — it blocks data:text/html and data:image/svg+xml in href attributes but misses data:text/xml and data:application/xml, both o... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32940/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-32940
Severity: Critical
CVSS Score: 9.3
Type: stored_xss
Status: unconfirmed
EPSS: 4.8%
Social Posts: 1

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

EPSS Score

4.8%Probability of exploitation in the next 30 days