CVE-2026-23852
Unknown Unknown - Not Provided
Stored XSS in SiYuan Blocks Enables Remote Code Execution

Publication date: 2026-01-19

Last updated on: 2026-01-19

Assigner: GitHub, Inc.

Description
SiYuan is a personal knowledge management system. Versions prior to 3.5.4 have a stored Cross-Site Scripting (XSS) vulnerability that allows an attacker to inject arbitrary HTML attributes into the `icon` attribute of a block via the `/api/attr/setBlockAttrs` API. The payload is later rendered in the dynamic icon feature in an unsanitized context, leading to stored XSS and, in the desktop environment, potential remote code execution (RCE). This issue bypasses the previous fix for issue `#15970` (XSS β†’ RCE via dynamic icons). Version 3.5.4 contains an updated fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-19
Last Modified
2026-01-19
Generated
2026-06-16
AI Q&A
2026-01-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23852
EUVD
EUVD-2026-3290
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
siyuan siyuan to 3.5.4 (exc)
siyuan siyuan to 3.5.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23852 is a stored Cross-Site Scripting (XSS) vulnerability in SiYuan versions prior to 3.5.4. It occurs because the `icon` attribute of a block can be manipulated via the `/api/attr/setBlockAttrs` API to inject arbitrary HTML attributes. The injected payload is stored and later rendered in the dynamic icon feature without proper sanitization, allowing attackers to execute arbitrary JavaScript code when the block is viewed. In the desktop environment, this XSS can escalate to remote code execution (RCE) by exploiting Node/Electron APIs. This vulnerability bypasses a previous fix and was patched in version 3.5.4. [2]

Impact Analysis

This vulnerability can impact you by allowing attackers to inject malicious scripts into the SiYuan application via the `icon` attribute of blocks. Any user viewing the compromised block can have arbitrary JavaScript executed in their context (stored XSS). In the desktop version of SiYuan, this can escalate to remote code execution (RCE), enabling attackers to run arbitrary system commands through Node/Electron APIs, potentially compromising your system's security and data. [2]

Detection Guidance

You can detect this vulnerability by checking if any blocks have an 'icon' attribute containing suspicious payloads that inject HTML attributes, especially those including quotes and event handlers like 'onload'. For example, you can monitor or intercept POST requests to the '/api/attr/setBlockAttrs' API endpoint and look for payloads where the 'icon' attribute contains strings like: api/icon/getDynamicIcon" onload="alert(document.domain). Using tools like curl or HTTP interceptors, you can send or capture requests to identify such patterns. A sample detection command could be: curl -X POST -H "Content-Type: application/json" -d '{"id":"<BLOCK_ID>","attrs":{"icon":"api/icon/getDynamicIcon\" onload=\"alert(document.domain)"}}' http://<target>/api/attr/setBlockAttrs and observe if the payload is accepted or rendered unsanitized. [2]

Mitigation Strategies

The immediate mitigation step is to upgrade SiYuan to version 3.5.4 or later, where the vulnerability is fixed by properly sanitizing the dynamic icon HTML content using the Lute.Sanitize() function. If upgrading is not immediately possible, restrict access to the '/api/attr/setBlockAttrs' API endpoint to trusted users only, and monitor or block suspicious payloads attempting to inject HTML attributes. Applying input sanitization or validation on the server side before accepting icon attribute changes can also help mitigate exploitation. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23852. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart