CVE-2026-23847
MEDIUM4.6EPSS 0.07%SiYuan has a Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon
描述
### Summary Reflected XSS in /api/icon/getDynamicIcon due to unsanitized SVG input. ### Details The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted directly into the SVG <text> tag without XML escaping. Since the response Content-Type is image/svg+xml, injecting unescaped tags allows breaking the XML structure and executing JavaScript. ### PoC Payload: `test</text><script>alert(window.origin)</script><text>` 1. Open any note and click Change Icon -> Dynamic (Text). <img width="713" height="373" alt="image" src="https://github.com/user-attachments/assets/8a4f5ec4-81d6-46cb-8872-841cb2188ed8" /> 2. Change color and paste the payload into the Custom field and click on this icon. <img width="935" height="682" alt="image" src="https://github.com/user-attachments/assets/24d28fbd-a3ce-44f1-a5bb-2cc3f711faf5" /> 3. Intercept and send the request or get path from devtools <img width="1229" height="627" alt="image" src="https://github.com/user-attachments/assets/3cfb1d9a-5a23-476c-86cc-f9a7de6bbe32" /> <img width="1140" height="764" alt="image" src="https://github.com/user-attachments/assets/2657e44f-3724-4136-a53f-75068945aef0" /> 4. The JavaScript payload executes afted open URL. <img width="701" height="809" alt="image" src="https://github.com/user-attachments/assets/343ad67a-e236-466b-9ec9-e4f1dea4fd5e" /> <img width="1382" height="847" alt="image" src="https://github.com/user-attachments/assets/01820d3c-c374-402a-8d72-6ea75dbd92c2" /> ### Impact Arbitrary JavaScript execution in the user's session context if the SVG is loaded directly. It also prevents using legitimate characters like < or > in icon text. ### Note Tested version: <img width="1368" height="699" alt="image" src="https://github.com/user-attachments/assets/a7466b8f-a88b-461d-8d9e-7178af7ab076" />
受影響套件(2)
- Go/github.com/siyuan-note/siyuan/kernelfrom 0, < 0.0.0-20260118021606-5c0cc375b475
- Go/github.com/siyuan-note/siyuan/kernelfrom 0, < 0.0.0-20260118021606-5c0cc375b475
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P |
| osv | CVSS 3.1 | MEDIUM4.6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-23847
- PATCHhttps://github.com/siyuan-note/siyuan
- WEBhttps://github.com/siyuan-note/siyuan/commit/5c0cc375b47567e15edd2119066b09bb0aa18777
- WEBhttps://github.com/siyuan-note/siyuan/issues/16844
- WEBhttps://github.com/siyuan-note/siyuan/security/advisories/GHSA-w836-5gpm-7r93