CVE-2026-23852 MEDIUM

CVE-2026-23852: SiYuan vulnerable to Stored XSS / RCE via `setBlockAttrs` icon attribute

Vendor Siyuan-Note
Product siyuan
Weakness CWE-94 · Code injection
Published January 19, 2026
Last update January 20, 2026

CVSS base score

5.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P

What the vulnerability does

01Description

SiYuan is a personal knowledge management system. Versions prior to 3.5.4 have a stored Cross-Site Scripting (XSS) vulnerability that allows an attacker to inject arbitrary HTML attributes into the `icon` attribute of a block via the `/api/attr/setBlockAttrs` API. The payload is later rendered in the dynamic icon feature in an unsanitized context, leading to stored XSS and, in the desktop environment, potential remote code execution (RCE). This issue bypasses the previous fix for issue `#15970` (XSS → RCE via dynamic icons). Version 3.5.4 contains an updated fix.

Key dates

02Disclosure timeline

January 19, 2026 CVE published
January 20, 2026 Record updated