CVE-2026-23847

SiYuan Vulnerable to Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon

Description

SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api/icon/getDynamicIcon due to unsanitized SVG input. The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted directly into the SVG <text> tag without XML escaping. Since the response Content-Type is image/svg+xml, injecting unescaped tags allows breaking the XML structure and executing JavaScript. Version 3.5.4 patches the issue.]

INFO

Published Date :

2026-01-19T19:46:08.980Z

Last Modified :

2026-01-20T14:37:42.649Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-23847 vulnerability.

Vendors	Products
B3log	Siyuan
Siyuan	Siyuan

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-23847.

URL	Resource
https://github.com/siyuan-note/siyuan/commit/5c0cc375b47567e15edd2119066b09bb0aa18777
https://github.com/siyuan-note/siyuan/issues/16844
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-w836-5gpm-7r93

CVSS Vulnerability Scoring System

V4
V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact