CVE-2026-29183
📋 TL;DR
An unauthenticated reflected XSS vulnerability in SiYuan's dynamic icon API allows attackers to inject malicious JavaScript via crafted SVG images. When a logged-in user visits a malicious link, attackers can perform authenticated API actions and steal sensitive data. All SiYuan instances prior to version 3.5.9 are affected.
💻 Affected Systems
- SiYuan Personal Knowledge Management System
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover, data exfiltration, and unauthorized system access through chained authenticated API calls.
Likely Case
Session hijacking, data theft, and unauthorized actions performed in the victim's context.
If Mitigated
Limited impact if proper content security policies and input validation are in place.
🎯 Exploit Status
Exploitation requires user interaction (clicking malicious link) but is straightforward once crafted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.9
Vendor Advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-6865-qjcf-286f
Restart Required: Yes
Instructions:
1. Backup your SiYuan data. 2. Download and install SiYuan version 3.5.9 or later from official sources. 3. Restart the SiYuan service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Content Security Policy
allImplement strict CSP headers to block inline scripts and restrict script sources.
Add 'Content-Security-Policy: default-src 'self'; script-src 'self';' to web server headers
Input Validation Filter
allAdd input validation to sanitize SVG content in the dynamic icon endpoint.
Implement proper escaping for SVG/HTML attributes in /api/icon/getDynamicIcon endpoint
🧯 If You Can't Patch
- Restrict access to SiYuan instance to trusted users only using network ACLs or authentication gateways.
- Implement web application firewall (WAF) rules to block malicious SVG content and XSS payloads.
🔍 How to Verify
Check if Vulnerable:
Check if SiYuan version is below 3.5.9 via web interface or system logs.Check Version:
Check SiYuan web interface settings or system logs for version information.Verify Fix Applied:
Confirm version is 3.5.9 or higher and test the /api/icon/getDynamicIcon endpoint with malicious payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /api/icon/getDynamicIcon with type=8 parameter
- SVG content containing script or event handlers
Network Indicators:
- HTTP requests with malicious SVG payloads in query parameters
- Unusual outbound data transfers following icon API calls
SIEM Query:
source="siyuan" AND (uri_path="/api/icon/getDynamicIcon" AND query="*type=8*")