Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-w836-5gpm-7r93: SiYuan has a Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon

Summary

Reflected XSS in /api/icon/getDynamicIcon due to unsanitized SVG input.

Details

The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted directly into the SVG <text> tag without XML escaping. Since the response Content-Type is image/svg+xml, injecting unescaped tags allows breaking the XML structure and executing JavaScript.

PoC

Payload: test</text><script>alert(window.origin)</script><text>

  1. Open any note and click Change Icon -> Dynamic (Text). <img width="713" height="373" alt="image" src="https://github.com/user-attachments/assets/8a4f5ec4-81d6-46cb-8872-841cb2188ed8" />

  2. Change color and paste the payload into the Custom field and click on this icon. <img width="935" height="682" alt="image" src="https://github.com/user-attachments/assets/24d28fbd-a3ce-44f1-a5bb-2cc3f711faf5" />

  3. Intercept and send the request or get path from devtools <img width="1229" height="627" alt="image" src="https://github.com/user-attachments/assets/3cfb1d9a-5a23-476c-86cc-f9a7de6bbe32" /> <img width="1140" height="764" alt="image" src="https://github.com/user-attachments/assets/2657e44f-3724-4136-a53f-75068945aef0" />

  4. The JavaScript payload executes afted open URL. <img width="701" height="809" alt="image" src="https://github.com/user-attachments/assets/343ad67a-e236-466b-9ec9-e4f1dea4fd5e" /> <img width="1382" height="847" alt="image" src="https://github.com/user-attachments/assets/01820d3c-c374-402a-8d72-6ea75dbd92c2" />

Impact

Arbitrary JavaScript execution in the user’s session context if the SVG is loaded directly. It also prevents using legitimate characters like < or > in icon text.

Note

Tested version: <img width="1368" height="699" alt="image" src="https://github.com/user-attachments/assets/a7466b8f-a88b-461d-8d9e-7178af7ab076" />

ghsa
Open in Source
#xss#git#java
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2026-23847

SiYuan has a Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon

Low severity GitHub Reviewed Published Jan 18, 2026 in siyuan-note/siyuan • Updated Jan 21, 2026

Package

gomod github.com/siyuan-note/siyuan/kernel (Go)

Affected versions

< 0.0.0-20260118021606-5c0cc375b475

Patched versions

0.0.0-20260118021606-5c0cc375b475

Summary

Reflected XSS in /api/icon/getDynamicIcon due to unsanitized SVG input.

Details

The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted directly into the SVG tag without XML escaping. Since the response Content-Type is image/svg+xml, injecting unescaped tags allows breaking the XML structure and executing JavaScript.

PoC

Payload: test</text><script>alert(window.origin)</script><text>

  1. Open any note and click Change Icon -> Dynamic (Text).

  2. Change color and paste the payload into the Custom field and click on this icon.

  3. Intercept and send the request or get path from devtools

  4. The JavaScript payload executes afted open URL.

Impact

Arbitrary JavaScript execution in the user’s session context if the SVG is loaded directly. It also prevents using legitimate characters like < or > in icon text.

Note

Tested version:

References

  • GHSA-w836-5gpm-7r93
  • https://nvd.nist.gov/vuln/detail/CVE-2026-23847
  • siyuan-note/siyuan#16844
  • siyuan-note/siyuan@5c0cc37

Published to the GitHub Advisory Database

Jan 21, 2026

Last updated

Jan 21, 2026

ghsa: Latest News

GHSA-j4rc-96xj-gvqc: phpMyFAQ: Public API endpoints expose emails and invisible questions
ghsa