Cross-Site Scripting Vulnerabilities in SiYuan, Angular, and @leanprover/unicode-input-component
Multiple newly reported cross-site scripting (XSS) vulnerabilities affect unrelated software products, including SiYuan, Angular, and @leanprover/unicode-input-component. In SiYuan, incomplete SVG sanitization can let an unauthenticated attacker deliver a crafted URL that executes arbitrary JavaScript in the application's origin, enabling theft of session tokens, cookies, and API keys, as well as unauthorized access to notes, document contents, and configuration data. In Electron-based deployments, the impact may escalate to remote code execution if insecure web preferences such as nodeIntegration are enabled or contextIsolation is disabled.
Angular disclosed a separate XSS flaw, tracked as CVE-2026-32635, caused by a sanitization bypass involving internationalized security-sensitive attributes such as href when combined with untrusted data binding; fixed versions include 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20. A third, distinct issue, CVE-2026-32732, affects @leanprover/unicode-input-component and allows arbitrary JavaScript execution in a victim's browser session, potentially enabling session abuse, data access, and unauthorized backend requests. These are separate vulnerability disclosures rather than a single coordinated incident, and the content is substantive security reporting rather than fluff.
Timeline
Apr 1, 2026
CVE-2026-34605 SiYuan reflected XSS disclosure published
A new SiYuan reflected cross-site scripting vulnerability, CVE-2026-34605, was publicly reported with high severity. The disclosure said attackers could execute JavaScript to steal session cookies and CSRF tokens, read or alter a victim’s knowledge base, delete workspaces, and potentially plant persistent XSS payloads.
Mar 20, 2026
SiYuan fixes XSS issue in version 3.6.1
SiYuan released version 3.6.1 to fix the SVG sanitization bypass and unsafe dynamic icon handling that enabled the XSS vulnerability. The patch addressed the incomplete prior remediation affecting version 3.6.0 and earlier.
Mar 20, 2026
SiYuan vulnerability assigned CVE-2026-32940 and linked to incomplete prior fix
The SiYuan XSS issue was documented as CVE-2026-32940 and described as an incomplete fix for CVE-2026-29183, with bypasses using data:text/xml or data:application/xml in SVG href attributes. Reporting clarified that exploitation was click-through and did not depend on img tag rendering.
Mar 17, 2026
Angular XSS vulnerability warning published by Belgium CCB
Belgium's Centre for Cybersecurity issued a public advisory warning about an XSS vulnerability in Angular and urged users to patch immediately. The reference does not provide further technical details in the supplied content.
Mar 17, 2026
SiYuan XSS affects version 3.6.0 and earlier
A reflected cross-site scripting vulnerability in SiYuan was identified in version 3.6.0 and earlier, caused by incomplete SVG sanitization and unsafe handling of user-controlled input in the unauthenticated /api/icon/getDynamicIcon endpoint. The flaw could let attackers execute JavaScript in the SiYuan origin if a victim opened a crafted URL or interacted with malicious SVG content.
Mar 16, 2026
CVE-2026-32732 XSS in @leanprover/unicode-input-component disclosed
A cross-site scripting vulnerability affecting @leanprover/unicode-input-component was publicly reported. The issue could allow arbitrary JavaScript execution in a victim's browser session, potentially enabling session theft, data access, and unauthorized backend requests using the victim's privileges.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
SiYuan Flaws Exposed Files and Enabled Desktop Command Execution
SiYuan disclosed two high-severity vulnerabilities affecting its personal knowledge management platform, including an arbitrary file-read issue tracked as **`CVE-2026-32938`** and a stored XSS flaw tracked as **`CVE-2026-34448`**. In SiYuan **3.6.0 and earlier**, the desktop publish service endpoint **`/api/lute/html2BlockDOM`** could copy local files referenced through **`file://`** links into the workspace assets directory without properly validating sensitive paths. Because authenticated users could then access **`GET /assets/*path`**, a publish-service visitor could exfiltrate readable local files from the desktop environment. The issue was fixed in **3.6.1**. A separate flaw in SiYuan **before 3.6.2** allowed an attacker to plant a malicious URL in an Attribute View field and trigger stored XSS when a victim opened Gallery or Kanban views configured with **"Cover From -> Asset Field"**. The application accepted arbitrary HTTP(S) URLs without extensions as images and injected them into an **`<img src="...">`** attribute without escaping. In the Electron desktop client, where **`nodeIntegration`** was enabled and **`contextIsolation`** was disabled, the XSS could escalate to arbitrary operating-system command execution under the victim’s account. SiYuan patched the command-execution path in **3.6.2**, leaving affected organizations to prioritize upgrades across both releases.
1 months ago
SiYuan Mermaid Rendering Flaws Expose NTLM Hashes and Enable Electron RCE
GitHub security advisories disclosed two high-severity vulnerabilities in **SiYuan** that stem from unsafe Mermaid diagram rendering in versions `3.6.3` and earlier. In `CVE-2026-40107`, SiYuan rendered Mermaid content with `securityLevel="loose"` and `htmlLabels` enabled, allowing attacker-controlled `img` tags to survive sanitization and be injected into SVG `foreignObject` content through `innerHTML`. When a victim opens a malicious note, the Electron client can fetch an attacker-controlled URL; on Windows, protocol-relative paths may resolve to UNC shares and trigger automatic SMB authentication, leaking the victim's **NTLMv2** hash. The issue was fixed in version `3.6.4` and mapped to `CWE-918`. A second flaw, `CVE-2026-40322`, used the same Mermaid configuration weakness to allow `javascript:` links to persist in rendered SVG output, creating a stored **XSS** condition. In SiYuan's Electron desktop application, where `nodeIntegration` was enabled and `contextIsolation` disabled, the bug could be escalated to arbitrary code execution if a user opened a malicious note and clicked the rendered diagram node. The vulnerability affects the same pre-`3.6.4` release line and is mapped to `CWE-79` and `CWE-94`, with advisory details describing high impact to confidentiality, integrity, and availability.
2 weeks ago
Stored XSS Vulnerability in Angular via SVG and MathML Bypass
A high-severity vulnerability, tracked as CVE-2025-66412, has been discovered in the Angular framework, allowing stored cross-site scripting (XSS) attacks through SVG animation, SVG URL, and MathML attributes. The flaw exists in the Angular Template Compiler, where the internal security schema fails to properly classify certain URL-holding attributes as requiring strict URL security, enabling attackers to inject malicious scripts that bypass Angular's built-in sanitization. This vulnerability affects Angular versions prior to 21.0.2, 20.3.15, and 19.2.17, and has been addressed in these subsequent releases. Attackers exploiting this vulnerability can persistently inject malicious JavaScript into web applications built with vulnerable Angular versions, potentially compromising user data and session integrity. Organizations using Angular are strongly advised to update to the fixed versions to mitigate the risk of exploitation. The vulnerability is remotely exploitable and has been rated as high severity, with a CVSS 4.0 score of 8.5, underscoring the urgency for prompt remediation.
1 months ago