CVE-2026-23852 | THREATINT

Description

SiYuan is a personal knowledge management system. Versions prior to 3.5.4 have a stored Cross-Site Scripting (XSS) vulnerability that allows an attacker to inject arbitrary HTML attributes into the `icon` attribute of a block via the `/api/attr/setBlockAttrs` API. The payload is later rendered in the dynamic icon feature in an unsanitized context, leading to stored XSS and, in the desktop environment, potential remote code execution (RCE). This issue bypasses the previous fix for issue `#15970` (XSS → RCE via dynamic icons). Version 3.5.4 contains an updated fix.

PUBLISHED Reserved 2026-01-16 | Published 2026-01-19 | Updated 2026-01-20 | Assigner GitHub_M

MEDIUM: 5.8CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P

Problem types

CWE-94: Improper Control of Generation of Code ('Code Injection')

Product status

< 3.5.4

affected

References

github.com/...siyuan/security/advisories/GHSA-7c6g-g2hx-23vv

github.com/...ommit/0be7e1d4e0da9aac0da850b7aeb9b50ede7e5bdb

cve.org (CVE-2026-23852)

nvd.nist.gov (CVE-2026-23852)

Download JSON