Executive Summary

CVE-2026-29183 is a critical reflected Cross-Site Scripting (XSS) vulnerability in the SiYuan personal knowledge management system. It exists in the unauthenticated API endpoint GET /api/icon/getDynamicIcon when the parameter type=8 is used.

The vulnerability occurs because user-controlled content is embedded directly into the SVG output without proper escaping or sanitization. Although the system attempts to remove <script> tags, it does not remove dangerous SVG attributes like onerror or onload, which can contain executable JavaScript.

Since the endpoint is unauthenticated and returns image/svg+xml content, an attacker can craft a malicious URL that injects executable SVG/HTML event handlers. When a logged-in user opens this URL, the injected JavaScript runs in the SiYuan web origin.

This JavaScript execution can be chained to perform authenticated API actions and exfiltrate sensitive data such as notes and configurations.

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows an attacker to execute arbitrary JavaScript code within the SiYuan web origin without authentication.'}, {'type': 'list_item', 'content': 'Arbitrary JavaScript execution can lead to theft of sensitive user data such as notes, configurations, and API responses.'}, {'type': 'list_item', 'content': "Attackers can abuse authenticated API actions by leveraging the victim's logged-in session."}, {'type': 'list_item', 'content': "Potential for further attacks depending on the victim's privileges and deployment environment."}, {'type': 'list_item', 'content': 'The vulnerability has a high severity rating with a CVSS v3 score of 9.3, indicating critical impact.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the unauthenticated API endpoint GET /api/icon/getDynamicIcon with the parameter type=8 to see if it reflects attacker-controlled content in the SVG output without proper escaping.'}, {'type': 'paragraph', 'content': 'A practical detection method is to craft a URL that injects an SVG element with an event handler such as onerror to trigger JavaScript execution, for example, an alert showing the document domain.'}, {'type': 'paragraph', 'content': 'You can use curl or similar HTTP clients to send requests and observe the response for unescaped SVG content or injected event handlers.'}, {'type': 'list_item', 'content': 'curl -i "http://<target-host>/api/icon/getDynamicIcon?type=8&content=<image src=x onerror=alert(document.domain)>"'}, {'type': 'list_item', 'content': 'Check the response headers for Content-Type: image/svg+xml and inspect the SVG content for injected event handlers like onerror or onload.'}, {'type': 'list_item', 'content': 'Monitor web traffic or logs for requests to /api/icon/getDynamicIcon with type=8 and suspicious parameters.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the SiYuan application to version 3.5.9 or later, where this vulnerability has been patched.

Until the upgrade is applied, restrict access to the vulnerable API endpoint /api/icon/getDynamicIcon, especially requests with type=8, by implementing network-level controls or web application firewall (WAF) rules.

Avoid clicking or opening untrusted links that may contain crafted URLs exploiting this vulnerability.

Consider monitoring and logging access to the endpoint to detect potential exploitation attempts.

Useful 0 Not Useful 0