CVE-2026-23847 is a reflected cross-site scripting vulnerability classified under CWE-79, found in the SiYuan personal knowledge management system prior to version 3.5.4. The vulnerability arises from improper neutralization of input during web page generation in the /api/icon/getDynamicIcon endpoint. This endpoint generates SVG images for text icons, specifically when the 'type=8' parameter is used. The 'content' query parameter is directly embedded into the SVG <text> element without XML escaping or sanitization. Since the HTTP response Content-Type is set to image/svg+xml, the injected content can break the XML structure and allow execution of arbitrary JavaScript code within the context of the user's browser. This reflected XSS does not require authentication, making it accessible to unauthenticated attackers who can craft malicious URLs. However, user interaction is necessary to trigger the payload, such as clicking a malicious link or visiting a compromised webpage that references the vulnerable endpoint. The vulnerability was assigned a CVSS 4.0 score of 2.1, indicating low severity due to limited impact on confidentiality, integrity, and availability, and the requirement for user interaction. No known exploits have been reported in the wild, and the issue was resolved in SiYuan version 3.5.4 by properly escaping the 'content' parameter before embedding it in the SVG output. This vulnerability could be leveraged for session hijacking, phishing, or other client-side attacks if exploited in targeted scenarios.

For European organizations, the impact of CVE-2026-23847 is generally low but non-negligible. Successful exploitation could allow attackers to execute arbitrary JavaScript in the context of a user's browser, potentially leading to session hijacking, theft of sensitive information, or delivery of further malware. Organizations using SiYuan for knowledge management, especially those exposing the vulnerable endpoint to the internet or integrating it into internal portals, face increased risk. The vulnerability could be exploited in spear-phishing campaigns targeting employees, enabling attackers to bypass same-origin policies and perform actions on behalf of users. While the direct impact on system confidentiality, integrity, and availability is limited, the client-side compromise could facilitate broader attacks. Given the low CVSS score and lack of known exploits, the immediate risk is moderate, but organizations should not ignore the vulnerability due to the potential for targeted abuse. Compliance with data protection regulations such as GDPR also necessitates timely patching of known vulnerabilities to avoid penalties.

European organizations should immediately upgrade all SiYuan deployments to version 3.5.4 or later, where the vulnerability is patched. If upgrading is not immediately feasible, implement strict input validation and sanitization on the 'content' parameter at the web application firewall (WAF) or reverse proxy level to block malicious payloads attempting to inject SVG or script tags. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and limit the sources of executable code, mitigating the impact of any successful XSS attempts. Monitor web server logs for suspicious requests to /api/icon/getDynamicIcon with unusual or encoded payloads. Educate users about the risks of clicking untrusted links, especially those that may contain SVG content. Conduct regular security assessments and penetration testing focusing on client-side vulnerabilities. Finally, isolate SiYuan instances from public internet exposure where possible, restricting access to trusted internal networks.