Description
SiYuan is a personal knowledge management system. Versions prior to 3.5.4 have a stored Cross-Site Scripting (XSS) vulnerability that allows an attacker to inject arbitrary HTML attributes into the `icon` attribute of a block via the `/api/attr/setBlockAttrs` API. The payload is later rendered in the dynamic icon feature in an unsanitized context, leading to stored XSS and, in the desktop environment, potential remote code execution (RCE). This issue bypasses the previous fix for issue `#15970` (XSS → RCE via dynamic icons). Version 3.5.4 contains an updated fix.
Published: 2026-01-19
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS leading to Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

SiYuan versions older than 3.5.4 suffer a stored Cross‑Site Scripting flaw that allows an attacker to inject arbitrary HTML attributes into the icon field of a block via the /api/attr/setBlockAttrs endpoint. The injected payload is later rendered by the dynamic icon feature without sanitization, delivering stored XSS that, in the desktop client, can be leveraged for remote code execution. The weakness aligns with CWE‑79 for XSS and CWE‑94 for code injection.

Affected Systems

The vulnerability affects the SiYuan personal knowledge management application (siyuan-note:siyuan). All releases prior to 3.5.4 are impacted; version 3.5.4 and later contain a fixed implementation.

Risk and Exploitability

The CVSS score of 5.8 reflects moderate severity, while the EPSS score under 1 % indicates a low probability of immediate exploitation and the issue is not listed in the CISA KEV catalog. An attacker would need the ability to invoke the /api/attr/setBlockAttrs API to supply a malicious icon value, typically implying authenticated access to a user’s document. Once the payload is stored it is executed whenever that block’s icon is rendered, providing a persistent XSS vector that can evolve into RCE on the desktop platform.

Generated by OpenCVE AI on April 18, 2026 at 05:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SiYuan to version 3.5.4 or newer where the dynamic icon rendering is secured
  • If an upgrade is not feasible, apply the patch commit 0be7e1d4e0da9aac0da850b7aeb9b50ede7e5bdb to fix the icon attribute handling
  • Disable the dynamic icon feature or remove custom icons from existing blocks to prevent stored XSS

Generated by OpenCVE AI on April 18, 2026 at 05:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared B3log
B3log siyuan
Weaknesses CWE-79
CPEs cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*
Vendors & Products B3log
B3log siyuan
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Tue, 20 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Siyuan
Siyuan siyuan
Vendors & Products Siyuan
Siyuan siyuan

Mon, 19 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Description SiYuan is a personal knowledge management system. Versions prior to 3.5.4 have a stored Cross-Site Scripting (XSS) vulnerability that allows an attacker to inject arbitrary HTML attributes into the `icon` attribute of a block via the `/api/attr/setBlockAttrs` API. The payload is later rendered in the dynamic icon feature in an unsanitized context, leading to stored XSS and, in the desktop environment, potential remote code execution (RCE). This issue bypasses the previous fix for issue `#15970` (XSS → RCE via dynamic icons). Version 3.5.4 contains an updated fix.
Title SiYuan vulnerable to Stored XSS / RCE via `setBlockAttrs` icon attribute
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 5.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P'}

Subscriptions

B3log Siyuan
Siyuan Siyuan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T20:05:02.903Z

Reserved: 2026-01-16T15:46:40.843Z

Link: CVE-2026-23852

cve-icon Vulnrichment

Updated: 2026-01-20T20:03:59.554Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-19T20:15:49.803

Modified: 2026-01-30T15:08:46.287

Link: CVE-2026-23852

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:00:06Z

Weaknesses