CVE-2026-23852CRITICAL 9.6EPSS p47.5%

CVE-2026-23852CVE-2026-23852

Description

SiYuan is a personal knowledge management system. Versions prior to 3.5.4 have a stored Cross-Site Scripting (XSS) vulnerability that allows an attacker to inject arbitrary HTML attributes into the `icon` attribute of a block via the `/api/attr/setBlockAttrs` API. The payload is later rendered in the dynamic icon feature in an unsanitized context, leading to stored XSS and, in the desktop environment, potential remote code execution (RCE). This issue bypasses the previous fix for issue `#15970` (XSS → RCE via dynamic icons). Version 3.5.4 contains an updated fix.

Scoring

CVSS 3.19.6 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS0.68% probability of exploitation · percentile 47.5% · 2026-06-18T12:00:27Z
Published2026-01-19
Last modified2026-01-30

Underlying weaknesses· 2

CWE-94CWE-79

References

  1. https://github.com/siyuan-note/siyuan/commit/0be7e1d4e0da9aac0da850b7aeb9b50ede7e5bdb
  2. https://github.com/siyuan-note/siyuan/security/advisories/GHSA-7c6g-g2hx-23vv

2

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-790%live
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-34448
CVE
CVE-2026-34585
CVE
CVE-2026-33067
CVE
CVE-2026-33066
CVE
CVE-2026-39846
CVE
CVE-2026-44586
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.