MEDIUM 4.6 Go
SiYuan has a Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon
GHSA-w836-5gpm-7r93 · CVE-2026-23847 · GO-2026-4343
Published · Modified
Description
Summary
Reflected XSS in /api/icon/getDynamicIcon due to unsanitized SVG input.
Details
The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted directly into the SVG
PoC
Payload: test</text><script>alert(window.origin)</script><text>
- Open any note and click Change Icon -> Dynamic (Text).
- Change color and paste the payload into the Custom field and click on this icon.
- Intercept and send the request or get path from devtools
- The JavaScript payload executes afted open URL.
Impact
Arbitrary JavaScript execution in the user's session context if the SVG is loaded directly. It also prevents using legitimate characters like < or > in icon text.
Note
Tested version:
References
- WEB https://github.com/siyuan-note/siyuan/security/advisories/GHSA-w836-5gpm-7r93
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-23847
- WEB https://github.com/siyuan-note/siyuan/issues/16844
- WEB https://github.com/siyuan-note/siyuan/commit/5c0cc375b47567e15edd2119066b09bb0aa18777
- PACKAGE https://github.com/siyuan-note/siyuan
Ready to move
Start Securing
Free, no credit card | First findings in minutes