Parse Server is an open source backend that can be deployed to any infrastructure that can run Node
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node
Remediation
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
---METADATA---
VENDOR: SiYuan
PRODUCT: SiYuan
AFFECTED_VERSIONS: 3.6.0 and below
---END_METADATA---
Description Summary:
SiYuan versions 3.6.0 and below contain a click-through XSS vulnerability in the dynamic icon API due to incomplete SVG sanitization.
Executive Summary:
SiYuan knowledge management systems are vulnerable to a critical click-through XSS attack that can lead to unauthorized JavaScript execution via malicious SVG files.
Vulnerability Details
CVE-ID: CVE-2026-32940
Affected Software: SiYuan (Personal Knowledge Management System)
Affected Versions: 3.6.0 and below
Vulnerability: The
/api/icon/getDynamicIconendpoint serves user-controlled input directly into SVG markup without escaping. The sanitization process misses certain XML MIME types, allowing an unauthenticated attacker to craft a URL that, when clicked by a victim, executes JavaScript within the context of the application.Business Impact
A successful Cross-Site Scripting (XSS) attack can allow an attacker to steal session cookies, perform actions on behalf of the user, or deface the application. Although it requires a "click-through," the high CVSS score of 9.3 highlights the significant risk to user data and the potential for session hijacking in a knowledge-heavy environment.
Remediation Plan
Immediate Action: Update SiYuan to version 3.6.1 or later to implement the corrected SVG sanitization logic and input escaping.
Proactive Monitoring: Inspect application logs for unusual parameters being passed to the dynamic icon API and monitor for reports of suspicious links within the SiYuan community.
Compensating Controls: Implement a strong Content Security Policy (CSP) that restricts the execution of inline scripts and prevents the loading of objects from untrusted origins.
Exploitation Status
Public Exploit Available: No
Analyst Notes: As of Mar 20, 2026, there is no public information indicating active exploitation. The vulnerability is technically detailed, suggesting that proof-of-concept exploits could be developed quickly.
Analyst Recommendation
The risk of XSS in a productivity tool like SiYuan is substantial. Users should update to version 3.6.1 immediately. Until the patch is applied, users should be warned against clicking on unknown links that point to their SiYuan instance's dynamic icon API.