PT-2026-3498 · Siyuan · Siyuan

·

CVE-2026-23852

·

Published

2026-01-19

·

Updated

2026-01-20

CVSS v3.1

9.6

Critical

VectorAV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.5.4
Description SiYuan is a personal knowledge management system with a stored Cross-Site Scripting (XSS) issue. An attacker can inject arbitrary HTML attributes into the icon attribute of a block through the /api/attr/setBlockAttrs API endpoint. The payload is rendered unsanitized in the dynamic icon feature, leading to stored XSS and potentially remote code execution (RCE) in the desktop environment. This bypasses a previous fix for issue #15970. The vulnerable parameter is icon.
Recommendations Update to version 3.5.4 or later.

Exploit

Fix

RCE

Code Injection

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-23852
GHSA-7C6G-G2HX-23VV

Affected Products

Siyuan