Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 42007bd9ca77 · 2026-03-04T21:47:10.000Z
GHSA-6865-qjcf-286f GHSA-f4vq-pj32-gr4q GHSA-f4vq-pj32-gr4q
diff --git a/advisories/github-reviewed/2026/03/GHSA-6865-qjcf-286f/GHSA-6865-qjcf-286f.json b/advisories/github-reviewed/2026/03/GHSA-6865-qjcf-286f/GHSA-6865-qjcf-286f.json
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6865-qjcf-286f",
+  "modified": "2026-03-04T21:45:10Z",
+  "published": "2026-03-04T21:45:10Z",
+  "aliases": [
+    "CVE-2026-29183"
+  ],
+  "summary": "SiYuan: Unauthenticated Reflected XSS via SVG Injection in /api/icon/getDynamicIcon Endpoint",
+  "details": "### Summary\nAn unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoint:\n\n- `GET /api/icon/getDynamicIcon`\n\nWhen `type=8`, attacker-controlled `content` is embedded into SVG output without escaping. Because the endpoint is unauthenticated and returns `image/svg+xml`, a crafted URL can inject executable SVG/HTML event handlers (for example `onerror`) and run JavaScript in the SiYuan web origin.\n\nThis can be chained to perform authenticated API actions and exfiltrate sensitive data when a logged-in user opens the malicious link.\n\n### Details\nThe issue is caused by unsafe output construction and incomplete sanitization:\n\n1. **Endpoint is exposed without auth middleware**\n   - Source: https://github.com/siyuan-note/siyuan/blob/master/kernel/api/router.go#L27-L37\n   - `GET /api/icon/getDynamicIcon` is registered in the unauthenticated section.\n\n2. **User input is inserted into SVG via string formatting**\n   - Source: https://github.com/siyuan-note/siyuan/blob/master/kernel/api/icon.go#L115-L175\n   - Source: https://github.com/siyuan-note/siyuan/blob/master/kernel/api/icon.go#L537-L585\n   - In `generateTypeEightSVG`, `%s` directly injects `content` into `<text>...</text>` without XML/HTML escaping.\n\n3. **Sanitizer only removes `<script>` tags**\n   - Source: https://github.com/siyuan-note/siyuan/blob/master/kernel/util/misc.go#L235-L281\n   - `RemoveScriptsInSVG` removes `<script>` nodes, but does not remove dangerous attributes (`onerror`, `onload`, etc.) or unsafe elements.\n\nAs a result, payloads such as `</text><image ... onerror=...><text>` survive and execute.\n\n### PoC\n\n#### Minimal browser execution PoC\nOpen this URL in a browser:\n\n```http\nGET /api/icon/getDynamicIcon?type=8&content=%3C%2Ftext%3E%3Cimage%20href%3Dx%20onerror%3Dalert(document.domain)%3E%3C%2Fimage%3E%3Ctext%3E\n```\n\nExample full URL:\n\n```text\nhttp://127.0.0.1:6806/api/icon/getDynamicIcon?type=8&content=%3C%2Ftext%3E%3Cimage%20href%3Dx%20onerror%3Dalert(document.domain)%3E%3C%2Fimage%3E%3Ctext%3E\n```\n\nExpected result:\n\n- JavaScript executes (`alert(document.domain)`), confirming reflected XSS.\n\n#### Authenticated impact demonstration\nIf a victim is authenticated in the same browser session, JavaScript running in origin can call privileged APIs and exfiltrate returned data.\n\n### Impact\nThis is a reflected XSS in an unauthenticated endpoint, with realistic account/data compromise impact:\n\n- Arbitrary JavaScript execution in SiYuan web origin.\n- Authenticated action abuse via same-origin API calls.\n- Sensitive data exposure (notes/config/API responses) from victim context.\n- Potential chained server-impact actions depending on victim privileges and deployment mode.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/siyuan-note/siyuan/kernel"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.0-20260304034809-d68bd5a79391"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-6865-qjcf-286f"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/siyuan-note/siyuan/commit/d68bd5a79391742b3cb2e14d892bdd9997064927"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/siyuan-note/siyuan"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-04T21:45:10Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-f4vq-pj32-gr4q/GHSA-f4vq-pj32-gr4q.json b/advisories/github-reviewed/2026/03/GHSA-f4vq-pj32-gr4q/GHSA-f4vq-pj32-gr4q.json
@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-f4vq-pj32-gr4q",
+  "modified": "2026-03-04T21:46:00Z",
+  "published": "2026-03-04T03:31:34Z",
+  "aliases": [
+    "CVE-2026-3241"
+  ],
+  "summary": "Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability",
+  "details": "In Concrete CMS below version 9.4.8, a Cross-site Scripting (XSS) vulnerability exists in the \"Legacy Form\" block. An authenticated user with permissions to create or edit forms (e.g., a rogue administrator) can inject a persistent JavaScript payload into the options of a multiple-choice question (Checkbox List, Radio Buttons, or Select Box). This payload is then executed in the browser of any user who views the page containing the form. \n\nThe Concrete CMS security team thanks M3dium for reporting.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "concrete5/concrete5"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "9.4.8"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3241"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/concretecms/concretecms/pull/12826"
+    },
+    {
+      "type": "WEB",
+      "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/concretecms/concretecms"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-04T21:46:00Z",
+    "nvd_published_at": "2026-03-04T03:16:05Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/03/GHSA-f4vq-pj32-gr4q/GHSA-f4vq-pj32-gr4q.json b/advisories/unreviewed/2026/03/GHSA-f4vq-pj32-gr4q/GHSA-f4vq-pj32-gr4q.json
