CVE-2026-29183

Name of the Vulnerable Software and Affected Versions: SiYuan versions prior to 3.5.9

Description: SiYuan, a personal knowledge management system, contains an unauthenticated reflected cross-site scripting (XSS) vulnerability in the dynamic icon API endpoint 'GET /api/icon/getDynamicIcon' when type=8. Attacker-controlled content is embedded into SVG output without proper escaping. Because the endpoint is unauthenticated and returns image/svg+xml, a crafted URL can inject executable SVG/HTML event handlers (e.g., onerror) and execute JavaScript within the SiYuan web origin. This can potentially lead to authenticated API actions and data exfiltration from logged-in users who open the malicious link. The vulnerability is due to unsafe output construction and incomplete sanitization, specifically the lack of escaping when inserting user-controlled content into SVG output. The API endpoint does not require authentication, and the response is served as image/svg+xml, allowing browsers to interpret the payload as an active document.

Recommendations: Upgrade to SiYuan version 3.5.9 or later.