Cyber Resilience

CVE-2026-23852

MediumPublic PoC

Published: 19 January 2026

Published
19 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score v4 5.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0068 47.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-23852 is a medium-severity Code Injection (CWE-94) vulnerability in B3Log Siyuan. Its CVSS base score is 5.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-23852 is a stored Cross-Site Scripting (XSS) vulnerability (CWE-79, CWE-94) affecting SiYuan, a personal knowledge management system, in versions prior to 3.5.4. The flaw allows an attacker to inject arbitrary HTML attributes into the `icon` attribute of a block through the `/api/attr/setBlockAttrs` API endpoint. This payload is subsequently rendered without sanitization in the dynamic icon feature, resulting in stored XSS. In the desktop environment, this can escalate to remote code execution (RCE). The vulnerability carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) and bypasses a prior fix for issue #15970 related to XSS-to-RCE via dynamic icons.

An attacker can exploit this vulnerability remotely over the network with low complexity and no required privileges, provided the victim interacts with the malicious content (e.g., opens or views a note containing the injected block). Successful exploitation leads to stored XSS, enabling theft of session cookies, keystroke logging, or further attacks within the victim's browser context. In SiYuan's desktop application, the XSS can potentially achieve RCE by leveraging the application's capabilities to execute system commands.

Mitigation is addressed in SiYuan version 3.5.4, which includes an updated fix for the vulnerability. Security practitioners should advise users to upgrade immediately. Relevant details are available in the GitHub security advisory (GHSA-7c6g-g2hx-23vv) and the fixing commit (0be7e1d4e0da9aac0da850b7aeb9b50ede7e5bdb).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SiYuan is a personal knowledge management system. Versions prior to 3.5.4 have a stored Cross-Site Scripting (XSS) vulnerability that allows an attacker to inject arbitrary HTML attributes into the `icon` attribute of a block via the `/api/attr/setBlockAttrs` API. The payload…

more

is later rendered in the dynamic icon feature in an unsanitized context, leading to stored XSS and, in the desktop environment, potential remote code execution (RCE). This issue bypasses the previous fix for issue `#15970` (XSS → RCE via dynamic icons). Version 3.5.4 contains an updated fix.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1056.001 Keylogging Collection
Adversaries may log user keystrokes to intercept credentials as the user types them.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

The vulnerability is a stored XSS in a public-facing API (PR:N, AV:N) exploitable via T1190, enabling client-side execution (T1203) in browser/desktop contexts for keylogging (T1056.001) and session cookie theft (T1539) as explicitly described.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40322Same product: B3Log Siyuan
CVE-2026-34585Same product: B3Log Siyuan
CVE-2026-39846Same product: B3Log Siyuan
CVE-2026-34448Same product: B3Log Siyuan
CVE-2026-34605Same product: B3Log Siyuan
CVE-2026-33066Same product: B3Log Siyuan
CVE-2026-32751Same product: B3Log Siyuan
CVE-2026-29183Same product: B3Log Siyuan
CVE-2026-33067Same product: B3Log Siyuan
CVE-2026-32940Same product: B3Log Siyuan

Affected Assets

b3log
siyuan
≤ 3.5.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of inputs to the /api/attr/setBlockAttrs API to prevent injection of arbitrary HTML attributes into block icons.

prevent

Filters outputs during dynamic icon rendering to sanitize malicious HTML attributes and block stored XSS execution.

preventrecover

Requires timely flaw remediation, such as upgrading to SiYuan version 3.5.4, to correct the stored XSS vulnerability.

References