SiYuan: Unauthenticated reflected SVG XSS in `/api/icon/getDynamicIcon` (`type=8`) enables arbitrary JavaScript execution
Description
SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoint "GET /api/icon/getDynamicIcon" when type=8, attacker-controlled content is embedded into SVG output without escaping. Because the endpoint is unauthenticated and returns image/svg+xml, a crafted URL can inject executable SVG/HTML event handlers (for example onerror) and run JavaScript in the SiYuan web origin. This can be chained to perform authenticated API actions and exfiltrate sensitive data when a logged-in user opens the malicious link. This issue has been patched in version 3.5.9.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/siyuan-note/siyuan/kernelGo | < 0.0.0-20260304034809-d68bd5a79391 | 0.0.0-20260304034809-d68bd5a79391 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/siyuan-note/siyuan/kernelpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 0.0.0-20260304034809-d68bd5a79391+ 1 more
- (no CPE)range: < 0.0.0-20260304034809-d68bd5a79391
- (no CPE)range: < 0.0.20260317T205859-150000.1.152.1
- Range: < 3.5.9
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-6865-qjcf-286fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-29183ghsaADVISORY
- github.com/siyuan-note/siyuan/commit/d68bd5a79391742b3cb2e14d892bdd9997064927ghsaWEB
- github.com/siyuan-note/siyuan/security/advisories/GHSA-6865-qjcf-286fghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.