CVE-2026-23852

CVE-2026-23852 is a stored Cross-Site Scripting (XSS) vulnerability (CWE-79, CWE-94) affecting SiYuan, a personal knowledge management system, in versions prior to 3.5.4. The flaw allows an attacker to inject arbitrary HTML attributes into the `icon` attribute of a block through the `/api/attr/setBlockAttrs` API endpoint. This payload is subsequently rendered without sanitization in the dynamic icon feature, resulting in stored XSS. In the desktop environment, this can escalate to remote code execution (RCE). The vulnerability carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and bypasses a prior fix for issue #15970 related to XSS-to-RCE via dynamic icons.

An attacker can exploit this vulnerability remotely over the network with low complexity and no required privileges, provided the victim interacts with the malicious content (e.g., opens or views a note containing the injected block). Successful exploitation leads to stored XSS, enabling theft of session cookies, keystroke logging, or further attacks within the victim's browser context. In SiYuan's desktop application, the XSS can potentially achieve RCE by leveraging the application's capabilities to execute system commands.

Mitigation is addressed in SiYuan version 3.5.4, which includes an updated fix for the vulnerability. Security practitioners should advise users to upgrade immediately. Relevant details are available in the GitHub security advisory (GHSA-7c6g-g2hx-23vv) and the fixing commit (0be7e1d4e0da9aac0da850b7aeb9b50ede7e5bdb).