CVE-2026-23847
Reflected XSS in SiYuan /api/icon/getDynamicIcon SVG Endpoint
Publication date: 2026-01-19
Last updated on: 2026-01-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| siyuan_note | siyuan | to 3.5.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23847 is a reflected Cross-Site Scripting (XSS) vulnerability in the Siyuan personal knowledge management system prior to version 3.5.4. It occurs in the /api/icon/getDynamicIcon endpoint, which generates SVG images for text icons. The vulnerability arises because the content query parameter is inserted directly into the SVG <text> tag without proper XML escaping. Since the response is served with Content-Type image/svg+xml, an attacker can inject unescaped tags to break the XML structure and execute arbitrary JavaScript in the user's browser. This allows malicious scripts to run in the context of the user's session. [3]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary JavaScript in the context of a user's session when they load a crafted SVG icon. This can lead to Cross-Site Scripting (XSS) attacks, potentially enabling theft of session tokens, user impersonation, or other malicious actions within the application. It also prevents legitimate use of certain characters like < or > in icon text, affecting normal functionality. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the /api/icon/getDynamicIcon endpoint for reflected cross-site scripting (XSS) by injecting SVG content with script tags in the content query parameter. For example, sending a request with a payload like `test</text><script>alert(window.origin)</script><text>` in the content parameter and observing if the script executes when the SVG is rendered indicates the vulnerability. You can use curl or similar tools to test this, for example: `curl 'http://your-siyuan-instance/api/icon/getDynamicIcon?type=8&content=test</text><script>alert(1)</script><text>' -i` and check if the response SVG contains unescaped script tags or if the script executes in a browser. Additionally, monitoring HTTP responses for SVG content with embedded scripts can help detect exploitation attempts. [3]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade Siyuan to version 3.5.4 or later, which disables SVG script execution by default and sanitizes SVG content by removing embedded scripts before serving. Ensure the editor setting "Allow SVG script execution" is unchecked to prevent scripts within SVG files from running. Additionally, verify that HTTP headers such as "Content-Type: image/svg+xml" and cache control headers like "Cache-Control: no-cache" and "Pragma: no-cache" are properly set to prevent caching of unsafe content. These steps prevent execution of malicious scripts embedded in SVG files and reduce the risk of reflected XSS attacks. [1, 2]