CVE-2026-23847
Unknown Unknown - Not Provided
Reflected XSS in SiYuan /api/icon/getDynamicIcon SVG Endpoint

Publication date: 2026-01-19

Last updated on: 2026-01-19

Assigner: GitHub, Inc.

Description
SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api/icon/getDynamicIcon due to unsanitized SVG input. The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted directly into the SVG <text> tag without XML escaping. Since the response Content-Type is image/svg+xml, injecting unescaped tags allows breaking the XML structure and executing JavaScript. Version 3.5.4 patches the issue.]
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-19
Last Modified
2026-01-19
Generated
2026-06-16
AI Q&A
2026-01-19
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23847
EUVD
EUVD-2026-3293
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
siyuan_note siyuan to 3.5.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23847 is a reflected Cross-Site Scripting (XSS) vulnerability in the Siyuan personal knowledge management system prior to version 3.5.4. It occurs in the /api/icon/getDynamicIcon endpoint, which generates SVG images for text icons. The vulnerability arises because the content query parameter is inserted directly into the SVG <text> tag without proper XML escaping. Since the response is served with Content-Type image/svg+xml, an attacker can inject unescaped tags to break the XML structure and execute arbitrary JavaScript in the user's browser. This allows malicious scripts to run in the context of the user's session. [3]

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary JavaScript in the context of a user's session when they load a crafted SVG icon. This can lead to Cross-Site Scripting (XSS) attacks, potentially enabling theft of session tokens, user impersonation, or other malicious actions within the application. It also prevents legitimate use of certain characters like < or > in icon text, affecting normal functionality. [3]

Detection Guidance

This vulnerability can be detected by testing the /api/icon/getDynamicIcon endpoint for reflected cross-site scripting (XSS) by injecting SVG content with script tags in the content query parameter. For example, sending a request with a payload like `test</text><script>alert(window.origin)</script><text>` in the content parameter and observing if the script executes when the SVG is rendered indicates the vulnerability. You can use curl or similar tools to test this, for example: `curl 'http://your-siyuan-instance/api/icon/getDynamicIcon?type=8&content=test</text><script>alert(1)</script><text>' -i` and check if the response SVG contains unescaped script tags or if the script executes in a browser. Additionally, monitoring HTTP responses for SVG content with embedded scripts can help detect exploitation attempts. [3]

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade Siyuan to version 3.5.4 or later, which disables SVG script execution by default and sanitizes SVG content by removing embedded scripts before serving. Ensure the editor setting "Allow SVG script execution" is unchecked to prevent scripts within SVG files from running. Additionally, verify that HTTP headers such as "Content-Type: image/svg+xml" and cache control headers like "Cache-Control: no-cache" and "Pragma: no-cache" are properly set to prevent caching of unsafe content. These steps prevent execution of malicious scripts embedded in SVG files and reduce the risk of reflected XSS attacks. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23847. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart