CVE-2026-23847
published 2026-01-19CVE-2026-23847: SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api/icon/getDynamicIcon due to…
PriorityP427medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.26%
17.6th percentile
SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api/icon/getDynamicIcon due to unsanitized SVG input. The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted directly into the SVG tag without XML escaping. Since the response Content-Type is image/svg+xml, injecting unescaped tags allows breaking the XML structure and executing JavaScript. Version 3.5.4 patches the issue.]
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| b3log | siyuan | < 3.5.4 | 3.5.4 |
| github.com | siyuan-note_siyuan_kernel | >= 0 < 0.0.0-20260118021606-5c0cc375b475 | 0.0.0-20260118021606-5c0cc375b475 |
| siyuan-note | siyuan | < 3.5.4 | 3.5.4 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
SiYuan has a Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon in github.com/siyuan-note/siyuan/kernel
osv·2026-02-03
CVE-2026-23847 SiYuan has a Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon in github.com/siyuan-note/siyuan/kernel
SiYuan has a Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon in github.com/siyuan-note/siyuan/kernel
SiYuan has a Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon in github.com/siyuan-note/siyuan/kernel
OSV
SiYuan has a Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon
osv·2026-01-21
CVE-2026-23847 [LOW] SiYuan has a Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon
SiYuan has a Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon
### Summary
Reflected XSS in /api/icon/getDynamicIcon due to unsanitized SVG input.
### Details
The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted directly into the SVG tag without XML escaping. Since the response Content-Type is image/svg+xml, injecting unescaped tags allows breaking the XML structure and executing JavaScript.
### PoC
Payload: `testalert(window.origin)`
1. Open any note and click Change Icon -> Dynamic (Text).
2. Change color and paste the payload into the Custom field and click on this icon.
3. Intercept and send the request or get path from devtools
4. The JavaScript payload executes afted open URL.
### Impact
Arbitrary JavaScript exe
GHSA
SiYuan has a Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon
ghsa·2026-01-21
CVE-2026-23847 [LOW] CWE-79 SiYuan has a Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon
SiYuan has a Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon
### Summary
Reflected XSS in /api/icon/getDynamicIcon due to unsanitized SVG input.
### Details
The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted directly into the SVG tag without XML escaping. Since the response Content-Type is image/svg+xml, injecting unescaped tags allows breaking the XML structure and executing JavaScript.
### PoC
Payload: `testalert(window.origin)`
1. Open any note and click Change Icon -> Dynamic (Text).
2. Change color and paste the payload into the Custom field and click on this icon.
3. Intercept and send the request or get path from devtools
4. The JavaScript payload executes afted open URL.
### Impact
Arbitrary JavaScript exe
No detection rules found.
No public exploits indexed.
2026-01-19
Published