CVE-2026-23847

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.5.4

Description SiYuan is a personal knowledge management system susceptible to reflected cross-site scripting. The issue occurs in the /api/icon/getDynamicIcon API endpoint. The endpoint generates SVG images for text icons (type=8), and the content parameter is directly inserted into the SVG <text> tag without proper XML escaping. Because the response Content-Type is set to image/svg+xml, injecting unescaped tags can disrupt the XML structure and allow for JavaScript execution.

Recommendations Update to version 3.5.4 or later.