Description
SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoint "GET /api/icon/getDynamicIcon" when type=8, attacker-controlled content is embedded into SVG output without escaping. Because the endpoint is unauthenticated and returns image/svg+xml, a crafted URL can inject executable SVG/HTML event handlers (for example onerror) and run JavaScript in the SiYuan web origin. This can be chained to perform authenticated API actions and exfiltrate sensitive data when a logged-in user opens the malicious link. This issue has been patched in version 3.5.9.
Published: 2026-03-06
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary JavaScript Execution
Action: Apply Patch
AI Analysis

Impact

SiYuan exposes an unauthenticated dynamic icon API that returns SVG content without proper escaping. When the request parameter "type=8" is used, attacker‑controlled data can be embedded into the SVG output, allowing injection of executable scripts or HTML event handlers such as onerror. The vulnerability permits arbitrary JavaScript execution in the context of the SiYuan web origin, which can be used to hijack sessions, modify data, or exfiltrate sensitive information. The impact is significant due to the potential for remote code execution and the ability to chain actions after a user authenticates. The weakness is classified as Reflected XSS (CWE‑79).

Affected Systems

The issue affects all installations of the Siyuan personal knowledge management system using versions prior to 3.5.9. The vulnerability is present in the dynamic icon endpoint "GET /api/icon/getDynamicIcon" when the type parameter is set to 8. No specific version numbers beyond the cut‑off are listed; administrators should verify that their deployment is 3.5.9 or newer.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity, while the EPSS score of less than 1% suggests low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by simply visiting a crafted URL that targets the unauthenticated endpoint, thereby delivering malicious SVG to any user who opens the link. Once a user initiates the request, the injected code runs with the privileges of the logged‑in account, enabling further authenticated API actions and data exfiltration.

Generated by OpenCVE AI on April 16, 2026 at 11:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Siyuan to version 3.5.9 or later to apply the official fix
  • If an immediate upgrade is not possible, restrict access to the /api/icon/getDynamicIcon endpoint by adding network ACLs or a firewall rule that blocks unauthenticated requests
  • Recognize suspicious SVG links and avoid opening them until the application has been confirmed to be patched

Generated by OpenCVE AI on April 16, 2026 at 11:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6865-qjcf-286f SiYuan: Unauthenticated Reflected XSS via SVG Injection in /api/icon/getDynamicIcon Endpoint
History

Tue, 10 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared B3log
B3log siyuan
CPEs cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*
Vendors & Products B3log
B3log siyuan

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Siyuan
Siyuan siyuan
Vendors & Products Siyuan
Siyuan siyuan

Fri, 06 Mar 2026 07:30:00 +0000

Type Values Removed Values Added
Description SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoint "GET /api/icon/getDynamicIcon" when type=8, attacker-controlled content is embedded into SVG output without escaping. Because the endpoint is unauthenticated and returns image/svg+xml, a crafted URL can inject executable SVG/HTML event handlers (for example onerror) and run JavaScript in the SiYuan web origin. This can be chained to perform authenticated API actions and exfiltrate sensitive data when a logged-in user opens the malicious link. This issue has been patched in version 3.5.9.
Title SiYuan: Unauthenticated reflected SVG XSS in `/api/icon/getDynamicIcon` (`type=8`) enables arbitrary JavaScript execution
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

B3log Siyuan
Siyuan Siyuan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T16:05:18.323Z

Reserved: 2026-03-04T14:44:00.714Z

Link: CVE-2026-29183

cve-icon Vulnrichment

Updated: 2026-03-06T15:58:08.252Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T08:16:27.090

Modified: 2026-03-10T19:02:31.160

Link: CVE-2026-29183

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:30:15Z

Weaknesses