Platform
python
Component
siyuan
Opgelost in
3.5.5
CVE-2026-23852 describes a stored Cross-Site Scripting (XSS) vulnerability discovered in SiYuan, a personal knowledge management system. This vulnerability allows attackers to inject arbitrary HTML attributes, potentially leading to remote code execution (RCE) within the desktop environment. The vulnerability affects versions of SiYuan prior to 3.5.4 and has been addressed with the release of version 3.5.4.
The primary impact of CVE-2026-23852 is the ability for an attacker to inject malicious HTML into the icon attribute of blocks within SiYuan. This injection occurs through the /api/attr/setBlockAttrs API, which is used to manage block attributes. The injected payload is then rendered in the dynamic icon feature without proper sanitization. In the desktop environment, this can be exploited to achieve remote code execution. The bypass of the previous fix for issue #15970 highlights the complexity of preventing XSS vulnerabilities in dynamic content rendering. An attacker could potentially steal user credentials, deface the application, or execute arbitrary code on the user's machine, depending on the privileges of the SiYuan process.
CVE-2026-23852 was publicly disclosed on 2026-01-19. The vulnerability bypasses a previous fix, indicating a potential for widespread exploitation. There is no indication of this CVE being added to the CISA KEV catalog or active exploitation campaigns at this time. Public proof-of-concept (POC) code is currently unavailable, but the nature of the XSS vulnerability suggests that it is likely to be developed and shared.
Users of SiYuan's desktop application are particularly at risk due to the potential for remote code execution. Individuals who rely on SiYuan for sensitive information or who share their knowledge base with others are also at increased risk, as an attacker could potentially steal credentials or deface the application. Shared hosting environments where multiple users share the same SiYuan instance are also vulnerable.
• linux / server: Monitor SiYuan's access logs for unusual requests to /api/attr/setBlockAttrs containing suspicious HTML attributes. Use journalctl -f -u siyuan to monitor for error messages related to attribute parsing or rendering.
• generic web: Use curl to test the /api/attr/setBlockAttrs endpoint with a simple HTML payload (e.g., <script>alert(1)</script>) and observe the response for signs of XSS.
• python: If you have access to the SiYuan source code, review the /api/attr/setBlockAttrs endpoint for proper input validation and output encoding of the icon attribute.
disclosure
Exploit Status
EPSS
0.17% (37% percentiel)
CISA SSVC
The primary mitigation for CVE-2026-23852 is to upgrade SiYuan to version 3.5.4 or later, which includes a fix for the vulnerability. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the /api/attr/setBlockAttrs API to prevent the injection of malicious HTML. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting HTML attributes could also provide a temporary layer of protection. Regularly review and update SiYuan's security configuration to ensure best practices are followed. After upgrading, confirm the fix by attempting to inject a simple HTML payload via the /api/attr/setBlockAttrs API and verifying that it is properly sanitized.
Werk SiYuan bij naar versie 3.5.4 of hoger. Deze versie bevat een correctie voor de stored XSS kwetsbaarheid die de remote code execution in de desktop omgeving mogelijk maakt.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-23852 is a stored Cross-Site Scripting (XSS) vulnerability in SiYuan versions prior to 3.5.4, allowing attackers to inject malicious HTML into block icons.
You are affected if you are using SiYuan version 3.5.4 or earlier. Upgrade to version 3.5.4 to mitigate the risk.
Upgrade SiYuan to version 3.5.4 or later. Consider implementing input validation and output encoding as a temporary workaround.
There is currently no confirmed evidence of active exploitation, but the bypass of a previous fix suggests a potential for exploitation.
Refer to the SiYuan project's official website and security advisories for the latest information regarding CVE-2026-23852.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.