logo

Database

Reflected cross-site scripting (XSS) In github.com/siyuan-note/siyuan/kernel

Description

SiYuan has a Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon

Summary

Reflected XSS in /api/icon/getDynamicIcon due to unsanitized SVG input.

Details

The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted directly into the SVG tag without XML escaping. Since the response Content-Type is image/svg+xml, injecting unescaped tags allows breaking the XML structure and executing JavaScript.

PoC

Payload: test</text><script>alert(window.origin)</script><text>

    Open any note and click Change Icon -> Dynamic (Text).

    image

    Change color and paste the payload into the Custom field and click on this icon.

    image

    Intercept and send the request or get path from devtools

    image

image

    The JavaScript payload executes afted open URL. image

image

Impact

Arbitrary JavaScript execution in the user's session context if the SVG is loaded directly. It also prevents using legitimate characters like < or > in icon text.

Note

Tested version: image

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-238472. NVD-2026-238473. OSV-2026-238474. GHSA-w836-5gpm-7r935. GCVE-2026-23847

References

1. https://github.com/siyuan-note/siyuan/security/advisories/GHSA-w836-5gpm-7r932. https://github.com/siyuan-note/siyuan/issues/168443. https://github.com/siyuan-note/siyuan/commit/5c0cc375b47567e15edd2119066b09bb0aa18777

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.