CVE-2026-23847 — Vulnetix

Try Vulnetix Request Demo

CVE-2026-23847 PUBLISHED CVSS 2.0999999046325684 LOW

SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api/icon/getDynamicIcon due to unsanitized SVG input. The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted directly into the SVG <text> tag without XML escaping. Since the response Content-Type is image/svg+xml, injecting unescaped tags allows breaking the XML structure and executing JavaScript. Version 3.5.4 patches the issue.]

EPSS 0.04% · 12.8th percentile

Risk Scores

CVSS v4.0

2.0999999046325684

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P

EPSS Score

0.04%

12.8th percentile

Affected Products

Vendor	Product	Versions
github.com	siyuan-note/siyuan/kernel	0, 0
siyuan-note	siyuan	< 3.5.4, < 3.5.4
b3log	siyuan	0, 0

Timeline

Jan 19, 2026 CVE Published
Jan 19, 2026 PoC Published
Jan 20, 2026 EPSS Score
Jan 20, 2026 CVE Updated
Jan 22, 2026 EPSS Score
Jan 24, 2026 EPSS Score
Jan 24, 2026 PoC Published
Jan 27, 2026 EPSS Score
Jan 29, 2026 EPSS Score
Jan 30, 2026 Security Advisory
Jan 31, 2026 EPSS Score
Feb 2, 2026 EPSS Score

References

Open in Interactive Console →