平台
python
组件
siyuan
修复版本
3.5.5
CVE-2026-23852 describes a stored Cross-Site Scripting (XSS) vulnerability discovered in SiYuan, a personal knowledge management system. This vulnerability allows attackers to inject arbitrary HTML attributes, potentially leading to remote code execution (RCE) within the desktop environment. The vulnerability affects versions of SiYuan prior to 3.5.4 and has been addressed with the release of version 3.5.4.
The primary impact of CVE-2026-23852 is the ability for an attacker to inject malicious HTML into the icon attribute of blocks within SiYuan. This injection occurs through the /api/attr/setBlockAttrs API, which is used to manage block attributes. The injected payload is then rendered in the dynamic icon feature without proper sanitization. In the desktop environment, this can be exploited to achieve remote code execution. The bypass of the previous fix for issue #15970 highlights the complexity of preventing XSS vulnerabilities in dynamic content rendering. An attacker could potentially steal user credentials, deface the application, or execute arbitrary code on the user's machine, depending on the privileges of the SiYuan process.
CVE-2026-23852 was publicly disclosed on 2026-01-19. The vulnerability bypasses a previous fix, indicating a potential for widespread exploitation. There is no indication of this CVE being added to the CISA KEV catalog or active exploitation campaigns at this time. Public proof-of-concept (POC) code is currently unavailable, but the nature of the XSS vulnerability suggests that it is likely to be developed and shared.
Users of SiYuan's desktop application are particularly at risk due to the potential for remote code execution. Individuals who rely on SiYuan for sensitive information or who share their knowledge base with others are also at increased risk, as an attacker could potentially steal credentials or deface the application. Shared hosting environments where multiple users share the same SiYuan instance are also vulnerable.
• linux / server: Monitor SiYuan's access logs for unusual requests to /api/attr/setBlockAttrs containing suspicious HTML attributes. Use journalctl -f -u siyuan to monitor for error messages related to attribute parsing or rendering.
• generic web: Use curl to test the /api/attr/setBlockAttrs endpoint with a simple HTML payload (e.g., <script>alert(1)</script>) and observe the response for signs of XSS.
• python: If you have access to the SiYuan source code, review the /api/attr/setBlockAttrs endpoint for proper input validation and output encoding of the icon attribute.
disclosure
漏洞利用状态
EPSS
0.17% (37% 百分位)
CISA SSVC
The primary mitigation for CVE-2026-23852 is to upgrade SiYuan to version 3.5.4 or later, which includes a fix for the vulnerability. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the /api/attr/setBlockAttrs API to prevent the injection of malicious HTML. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting HTML attributes could also provide a temporary layer of protection. Regularly review and update SiYuan's security configuration to ensure best practices are followed. After upgrading, confirm the fix by attempting to inject a simple HTML payload via the /api/attr/setBlockAttrs API and verifying that it is properly sanitized.
将 SiYuan 更新到 3.5.4 或更高版本。此版本包含针对存储型 XSS 漏洞的修复,该漏洞可能允许在桌面环境中执行远程代码。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-23852 is a stored Cross-Site Scripting (XSS) vulnerability in SiYuan versions prior to 3.5.4, allowing attackers to inject malicious HTML into block icons.
You are affected if you are using SiYuan version 3.5.4 or earlier. Upgrade to version 3.5.4 to mitigate the risk.
Upgrade SiYuan to version 3.5.4 or later. Consider implementing input validation and output encoding as a temporary workaround.
There is currently no confirmed evidence of active exploitation, but the bypass of a previous fix suggests a potential for exploitation.
Refer to the SiYuan project's official website and security advisories for the latest information regarding CVE-2026-23852.
上传你的 requirements.txt 文件,立即知道是否受影响。