CVE-2026-31809 is a reflected cross-site scripting (XSS) vulnerability in the SiYuan note-taking application, specifically in versions before 3.5.10. SiYuan uses an SVG sanitizer component (SanitizeSVG) to check href attributes for the presence of the 'javascript:' URI scheme to prevent script injection. The sanitizer uses the Go function strings.HasPrefix() to detect the 'javascript:' prefix. However, this check is bypassed when an attacker inserts ASCII tab (\t, 	), newline (\n, 
), or carriage return (\r, 
) characters within the 'javascript:' string. According to the WHATWG URL specification, browsers strip these whitespace characters before parsing the URL scheme, causing the JavaScript to execute despite the sanitizer's check. This vulnerability allows an attacker to inject executable JavaScript code into the unauthenticated /api/icon/getDynamicIcon endpoint, resulting in reflected XSS. This is a second bypass of a prior fix for CVE-2026-29183, which was addressed in version 3.5.9. The vulnerability was publicly disclosed on March 10, 2026, with a CVSS 4.0 score of 6.4, indicating medium severity. No known exploits are currently reported in the wild. The vulnerability impacts confidentiality and integrity by enabling script execution in victims' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability does not require authentication but does require user interaction (e.g., clicking a crafted link). The issue is resolved in SiYuan version 3.5.10.

The reflected XSS vulnerability in SiYuan can have significant impacts on organizations using this software for personal knowledge management. Attackers can exploit this flaw to execute arbitrary JavaScript in the context of the victim's browser, potentially stealing session tokens, credentials, or other sensitive information. This can lead to unauthorized access to user data or manipulation of the application interface. Since the vulnerable endpoint is unauthenticated, any user visiting a maliciously crafted URL could be targeted. The vulnerability undermines user trust and could facilitate further attacks such as phishing or malware delivery. Organizations relying on SiYuan for sensitive or proprietary information risk data leakage and compromise of user accounts. Although no exploits are currently known in the wild, the ease of bypassing the sanitizer and the public disclosure increase the likelihood of exploitation attempts. The impact is primarily on confidentiality and integrity, with availability not directly affected.

To mitigate this vulnerability, organizations should immediately upgrade SiYuan to version 3.5.10 or later, where the issue is fixed. If upgrading is not immediately possible, implement strict input validation and output encoding on the /api/icon/getDynamicIcon endpoint to prevent injection of malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and limit the sources of executable code. Monitor web traffic for suspicious requests targeting the vulnerable endpoint. Educate users to avoid clicking untrusted links, especially those that could exploit reflected XSS. Additionally, review and harden SVG sanitization logic to correctly handle whitespace characters within URI schemes. Regularly audit and test web applications for XSS vulnerabilities using automated scanners and manual penetration testing. Finally, maintain an incident response plan to quickly address any exploitation attempts.