Skip to main content

Siyuan CVE-2026-23852

CRITICAL
Code Injection (CWE-94)
2026-01-19 security-advisories@github.com
RCE XSS Siyuan
9.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
PoC Detected
Jan 30, 2026 - 15:08 vuln.today
Public exploit code
Patch released
Jan 30, 2026 - 15:08 nvd
Patch available
CVE Published
Jan 19, 2026 - 20:15 nvd
CRITICAL 9.6

DescriptionGitHub Advisory

SiYuan is a personal knowledge management system. Versions prior to 3.5.4 have a stored Cross-Site Scripting (XSS) vulnerability that allows an attacker to inject arbitrary HTML attributes into the icon attribute of a block via the /api/attr/setBlockAttrs API. The payload is later rendered in the dynamic icon feature in an unsanitized context, leading to stored XSS and, in the desktop environment, potential remote code execution (RCE). This issue bypasses the previous fix for issue #15970 (XSS → RCE via dynamic icons). Version 3.5.4 contains an updated fix.

AnalysisAI

SiYuan personal knowledge management system prior to 3.5.4 has a stored XSS vulnerability (CVSS 9.6) that allows code execution through crafted knowledge base entries.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send crafted API request to /api/attr/setBlockAttrs
Exploit
Inject malicious HTML into icon attribute
Execution
Payload renders in dynamic icon feature
Impact
Execute arbitrary code in desktop environment
Sign in to reveal

Vulnerability AssessmentAI

Exploitation SiYuan versions prior to 3.5.4 with dynamic icon feature enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 9.6 with PoC and patch. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker shares a malicious SiYuan note containing XSS payload. When another user opens it, the payload executes in the Electron context, accessing the file system and executing OS commands through Node.js APIs.
Remediation Update SiYuan to version 3.5.4 or later. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all affected systems and apply vendor patches immediately. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-23852 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy