Vulnerability Description
SiYuan is a personal knowledge management system. Versions prior to 3.5.4 have a stored Cross-Site Scripting (XSS) vulnerability that allows an attacker to inject arbitrary HTML attributes into the `icon` attribute of a block via the `/api/attr/setBlockAttrs` API. The payload is later rendered in the dynamic icon feature in an unsanitized context, leading to stored XSS and, in the desktop environment, potential remote code execution (RCE). This issue bypasses the previous fix for issue `#15970` (XSS → RCE via dynamic icons). Version 3.5.4 contains an updated fix.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| B3Log | Siyuan | < 3.5.4 |
Related Weaknesses (CWE)
References
- https://github.com/siyuan-note/siyuan/commit/0be7e1d4e0da9aac0da850b7aeb9b50ede7Patch
- https://github.com/siyuan-note/siyuan/security/advisories/GHSA-7c6g-g2hx-23vvExploitVendor AdvisoryPatch
FAQ
What is CVE-2026-23852?
CVE-2026-23852 is a vulnerability with a CVSS score of 9.6 (CRITICAL). SiYuan is a personal knowledge management system. Versions prior to 3.5.4 have a stored Cross-Site Scripting (XSS) vulnerability that allows an attacker to inject arbitrary HTML attributes into the `i...
How severe is CVE-2026-23852?
CVE-2026-23852 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-23852?
Check the references section above for vendor advisories and patch information. Affected products include: B3Log Siyuan.