CVE-2026-23852

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.5.4

Description SiYuan is a personal knowledge management system with a stored Cross-Site Scripting (XSS) issue. An attacker can inject arbitrary HTML attributes into the icon attribute of a block through the /api/attr/setBlockAttrs API endpoint. The payload is rendered unsanitized in the dynamic icon feature, leading to stored XSS and potentially remote code execution (RCE) in the desktop environment. This bypasses a previous fix for issue #15970. The vulnerable parameter is icon.

Recommendations Update to version 3.5.4 or later.