CVE-2026-23852 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-94 (Improper Control of Generation of Code) affecting SiYuan Note, a personal knowledge management system. Versions prior to 3.5.4 allow an attacker to inject arbitrary HTML attributes into the 'icon' attribute of a block via the /api/attr/setBlockAttrs API endpoint. The vulnerability arises because the dynamic icon feature renders these attributes in an unsanitized context, enabling stored XSS attacks. In the desktop environment, this stored XSS can escalate to remote code execution (RCE), posing a significant risk. This vulnerability bypasses a previous fix (issue #15970) that attempted to address XSS leading to RCE via dynamic icons, indicating incomplete sanitization or validation in the codebase. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required, but with high scope and impact on integrity and availability. No known exploits have been reported in the wild as of publication. The vendor released version 3.5.4 containing an updated fix that properly sanitizes the input to prevent code injection. The vulnerability highlights the risks of insufficient input validation and output encoding in web applications that support dynamic content rendering, especially in desktop environments where XSS can lead to RCE.

For European organizations using SiYuan Note versions prior to 3.5.4, this vulnerability could lead to unauthorized code execution on affected systems, especially in desktop environments. Confidentiality could be compromised if attackers inject scripts that steal sensitive data or credentials. Integrity and availability may also be impacted if attackers execute malicious code that alters or deletes data or disrupts service. Since SiYuan is a personal knowledge management system, organizations relying on it for sensitive or proprietary information risk data leakage or sabotage. The vulnerability's ability to bypass previous fixes suggests attackers could exploit it to gain persistent access or escalate privileges. Although no known exploits exist currently, the medium severity and ease of exploitation (no authentication or user interaction required) mean that targeted attacks or automated scanning could emerge. European organizations with remote or hybrid workforces using vulnerable SiYuan desktop clients are particularly at risk. The impact extends to intellectual property theft, operational disruption, and potential compliance violations under GDPR if personal data is exposed.

European organizations should immediately update all SiYuan Note installations to version 3.5.4 or later, which contains the updated fix for this vulnerability. Until updates are applied, restrict access to the /api/attr/setBlockAttrs API endpoint via network controls or application-layer firewalls to trusted users only. Implement strict input validation and output encoding on any custom integrations or plugins interacting with SiYuan to prevent injection of malicious attributes. Monitor logs for unusual API requests or unexpected changes to block attributes that could indicate exploitation attempts. Educate users about the risks of opening untrusted SiYuan files or links that could trigger malicious payloads. Employ endpoint protection solutions capable of detecting suspicious script execution in desktop environments. Conduct regular vulnerability scans and penetration tests focusing on web application and desktop client attack surfaces. Finally, maintain an incident response plan to quickly contain and remediate any detected exploitation.