CVE-2026-23847 - SiYuan Vulnerable to Reflected Cross-Site Scripting (XSS) via /api/icon/getDynam...

CVE ID : CVE-2026-23847 Published : Jan. 19, 2026, 7:46 p.m. | 36 minutes ago Description : SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api/icon/getDynamicIcon due to unsanitized SVG input. The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted directly into the SVG tag without XML escaping. Since the response Content-Type is image/svg+xml, injecting unescaped tags allows breaking the XML structure and executing JavaScript. Version 3.5.4 patches the issue.] Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...