CVE-2026-23847 is a reflected cross-site scripting vulnerability classified under CWE-79, found in SiYuan, a personal knowledge management system. The vulnerability affects versions prior to 3.5.4 and arises from improper neutralization of user input during web page generation. Specifically, the /api/icon/getDynamicIcon endpoint accepts a content query parameter intended to be rendered as text within an SVG image's <text> tag. However, this input is not XML-escaped, allowing an attacker to inject arbitrary SVG/XML tags. Because the response Content-Type is image/svg+xml, the injected tags can break the SVG structure and enable execution of embedded JavaScript code in the context of the victim's browser. This reflected XSS can be exploited by tricking users into visiting crafted URLs that exploit this endpoint. The vulnerability does not require authentication or privileges but does require user interaction (clicking or visiting a malicious link). The CVSS 4.0 vector indicates network attack vector, low complexity, no privileges required, user interaction required, and low impact on confidentiality, integrity, and availability. The vulnerability was patched in version 3.5.4 by properly escaping the content parameter before embedding it into the SVG output. No known exploits have been reported in the wild as of the publication date. This vulnerability mainly threatens users of SiYuan versions prior to 3.5.4, especially those who access untrusted links or content that could exploit this flaw.

For European organizations using SiYuan versions prior to 3.5.4, this vulnerability could allow attackers to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, credential theft, or unauthorized actions within the SiYuan application or other web applications sharing the same origin. However, the impact is limited by the requirement for user interaction and the reflected nature of the XSS, meaning attackers must lure users into clicking malicious links. The low CVSS score reflects the limited scope and impact. Nonetheless, organizations handling sensitive knowledge management data should consider this a risk to confidentiality and integrity of user sessions and data. The vulnerability could also be leveraged in targeted phishing campaigns against employees using SiYuan. Since SiYuan is a niche product, the overall impact is limited compared to more widely used software, but organizations relying on it for knowledge management should prioritize patching to prevent exploitation.

1. Upgrade SiYuan to version 3.5.4 or later, where the vulnerability is patched by proper XML escaping of the content parameter. 2. Implement web application firewall (WAF) rules to detect and block suspicious SVG payloads or unusual query parameters targeting /api/icon/getDynamicIcon. 3. Educate users about the risks of clicking on untrusted links, especially those that might lead to SVG content rendering. 4. Employ Content Security Policy (CSP) headers restricting script execution and limiting the sources of executable scripts to reduce the impact of XSS. 5. Monitor logs for unusual requests to the vulnerable endpoint that may indicate attempted exploitation. 6. If upgrading immediately is not possible, consider disabling or restricting access to the vulnerable endpoint temporarily. 7. Conduct internal security awareness campaigns focused on phishing and social engineering risks related to XSS attacks.