cbcvebase.
CVE-2026-29183
published 2026-03-06

CVE-2026-29183: SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflected XSS vulnerability exists in the dynamic icon API…

PriorityP342medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
0.63%
45.4th percentile
SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoint "GET /api/icon/getDynamicIcon" when type=8, attacker-controlled content is embedded into SVG output without escaping. Because the endpoint is unauthenticated and returns image/svg+xml, a crafted URL can inject executable SVG/HTML event handlers (for example onerror) and run JavaScript in the SiYuan web origin. This can be chained to perform authenticated API actions and exfiltrate sensitive data when a logged-in user opens the malicious link. This issue has been patched in version 3.5.9.

Affected

6 ranges
VendorProductVersion rangeFixed in
b3logsiyuan< 3.5.93.5.9
b3logsiyuan< 3.5.103.5.10
github.comsiyuan-note_siyuan0 – 0.0.0-20260313024916-fd6526133bb3
github.comsiyuan-note_siyuan_kernel>= 0 < 0.0.0-20260304034809-d68bd5a793910.0.0-20260304034809-d68bd5a79391
github.comsiyuan-note_siyuan_kernel>= 0 < 0.0.0-20260310025236-297bd526708f0.0.0-20260310025236-297bd526708f
siyuan-notesiyuan< 3.6.13.6.1

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
ghsa6.1MEDIUM
osv6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.