Description
SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api/icon/getDynamicIcon due to unsanitized SVG input. The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted directly into the SVG <text> tag without XML escaping. Since the response Content-Type is image/svg+xml, injecting unescaped tags allows breaking the XML structure and executing JavaScript. Version 3.5.4 patches the issue.]
Published: 2026-01-19
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross-Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows an attacker to inject malicious scripts via unsanitized SVG input to the /api/icon/getDynamicIcon endpoint. The endpoint returns an SVG image with a &lt;text&gt; tag that includes the content query parameter directly, without escaping. An attacker could craft a URL that contains a payload such as a &lt;script&gt; tag or malformed XML. When a user opens that link, the browser loads the SVG and executes the attacker’s JavaScript in the victim’s context. This permits theft of session cookies, defacement, or other actions that target the user’s browser session. The weakness corresponds to CWE-79 (Improper Neutralization of Input During Web Page Generation).

Affected Systems

SiYuan personal knowledge management system, vendor Siyuan. Versions earlier than 3.5.4 are affected. No later versions have the flaw.

Risk and Exploitability

The CVSS score is 2.1, indicating low severity, and the EPSS score is less than 1%, showing a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector is likely network-based. Because the endpoint is reachable via an HTTP request and does not require authentication, an unauthenticated attacker can embed a malicious payload in a URL. If a user visits that URL, the browser will render the SVG and execute the script. The impact is confined to the victim’s browser session; it does not provide direct code execution on the server. The risk is mitigated by applying the patch, but in environments that cannot immediately upgrade, the exposure remains until remedied.

Generated by OpenCVE AI on April 18, 2026 at 05:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to version 3.5.4 or later of Siyuan, which includes the SVG input sanitization fix.
  • If upgrading is not immediately possible, restrict access to /api/icon/getDynamicIcon to authenticated users or remove the endpoint temporarily.
  • Configure a web application firewall or reverse proxy to reject requests containing suspicious characters or payloads in the content query parameter, such as "<", ">", or script tags.
  • Ensure server‑side XML escaping for any future SVG generation to prevent similar issues.

Generated by OpenCVE AI on April 18, 2026 at 05:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w836-5gpm-7r93 SiYuan has a Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon
History

Fri, 30 Jan 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared B3log
B3log siyuan
CPEs cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*
Vendors & Products B3log
B3log siyuan
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 20 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Siyuan
Siyuan siyuan
Vendors & Products Siyuan
Siyuan siyuan

Mon, 19 Jan 2026 20:00:00 +0000

Type Values Removed Values Added
Description SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api/icon/getDynamicIcon due to unsanitized SVG input. The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted directly into the SVG <text> tag without XML escaping. Since the response Content-Type is image/svg+xml, injecting unescaped tags allows breaking the XML structure and executing JavaScript. Version 3.5.4 patches the issue.]
Title SiYuan Vulnerable to Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P'}

Subscriptions

B3log Siyuan
Siyuan Siyuan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T14:37:42.649Z

Reserved: 2026-01-16T15:46:40.843Z

Link: CVE-2026-23847

cve-icon Vulnrichment

Updated: 2026-01-20T14:37:36.042Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-19T20:15:49.393

Modified: 2026-01-30T15:36:42.487

Link: CVE-2026-23847

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:15:15Z

Weaknesses