Home > Vulnerability Database > CVE-2026-23852

Mend.io Vulnerability Database

CVE-2026-23852

Good to know:

Date: January 19, 2026

SiYuan is a personal knowledge management system. Versions prior to 3.5.4 have a stored Cross-Site Scripting (XSS) vulnerability that allows an attacker to inject arbitrary HTML attributes into the "icon" attribute of a block via the "/api/attr/setBlockAttrs" API. The payload is later rendered in the dynamic icon feature in an unsanitized context, leading to stored XSS and, in the desktop environment, potential remote code execution (RCE). This issue bypasses the previous fix for issue "#15970" (XSS → RCE via dynamic icons). Version 3.5.4 contains an updated fix.

Severity Score

9.6

Related Resources (4)

Url: https://github.com/siyuan-note/siyuan/commit/0be7e1d4e0da9aac0da850b7aeb9b50ede7e5bdb

Url: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-7c6g-g2hx-23vv

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-23852

Url: https://www.mend.io/vulnerability-database/CVE-2026-23852

Severity Score

9.6

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Improper Control of Generation of Code ('Code Injection')

CWE-94

Top Fix

Upgrade Version

Upgrade to version https://github.com/siyuan-note/siyuan.git - v3.5.4-dev3

Learn More

CVSS v3.1

Base Score:	9.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2026-23852

Good to know:

Date: January 19, 2026

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?