CVE-2026-23847
📋 TL;DR
SiYuan personal knowledge management systems before version 3.5.4 are vulnerable to reflected cross-site scripting (XSS) via the /api/icon/getDynamicIcon endpoint. Attackers can inject malicious SVG content that executes JavaScript in victims' browsers when they view specially crafted URLs. This affects all users running vulnerable versions of SiYuan.
💻 Affected Systems
- SiYuan Personal Knowledge Management System
📦 What is this software?
Siyuan by B3log
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as the authenticated user, redirect to malicious sites, or install malware via drive-by downloads.
Likely Case
Session hijacking, credential theft, or defacement of the knowledge management interface through injected content.
If Mitigated
Limited impact with proper Content Security Policy (CSP) headers and input validation, though XSS could still execute in some contexts.
🎯 Exploit Status
The vulnerability is well-documented in public advisories with technical details, making exploitation straightforward for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.4
Vendor Advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-w836-5gpm-7r93
Restart Required: Yes
Instructions:
1. Backup your SiYuan data. 2. Download and install SiYuan version 3.5.4 or later from the official repository. 3. Restart the SiYuan service or application.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side filtering to sanitize the 'content' parameter before processing in the SVG generation endpoint.
Not applicable - requires code modification
Content Security Policy
allImplement strict CSP headers to prevent execution of inline scripts and restrict script sources.
Add header: Content-Security-Policy: script-src 'self'
🧯 If You Can't Patch
- Restrict access to the /api/icon/getDynamicIcon endpoint using network controls or web application firewalls.
- Implement output encoding for SVG content and validate all user input before processing.
🔍 How to Verify
Check if Vulnerable:
Test by accessing /api/icon/getDynamicIcon?type=8&content=<script>alert('XSS')</script> and checking if script executes in browser.Check Version:
Check SiYuan version in application settings or via package manager: siyuan --versionVerify Fix Applied:
After patching, test the same payload - it should be properly escaped in the SVG output without script execution.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /api/icon/getDynamicIcon with script-like content in parameters
- Multiple failed authentication attempts following icon requests
Network Indicators:
- HTTP requests containing <script> tags or JavaScript in the 'content' parameter
- Unusual outbound connections from SiYuan server after icon requests
SIEM Query:
source="siyuan" AND uri="/api/icon/getDynamicIcon" AND (param_content CONTAINS "<script>" OR param_content CONTAINS "javascript:")