CVE-2026-29183
CRITICAL
GHSA-6865-qjcf-286f
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
4Description
SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoint "GET /api/icon/getDynamicIcon" when type=8, attacker-controlled content is embedded into SVG output without escaping. Because the endpoint is unauthenticated and returns image/svg+xml, a crafted URL can inject executable SVG/HTML event handlers (for example onerror) and run JavaScript in the SiYuan web origin. This can be chained to perform authenticated API actions and exfiltrate sensitive data when a logged-in user opens the malicious link. This issue has been patched in version 3.5.9.
Analysis
Reflected XSS in SiYuan knowledge management before 3.5.9.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all SiYuan deployments and their versions; assess exposure by determining internet accessibility and user count. Within 7 days: Implement WAF rules to block requests to /api/icon/getDynamicIcon with type=8 parameter; restrict API access to authenticated users only through network controls if feasible. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today