CVE-2026-29183
Published: 06 March 2026
Summary
CVE-2026-29183 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in B3Log Siyuan. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Filters SVG output to escape or block attacker-controlled content and executable event handlers like onerror, directly preventing reflected XSS injection.
Validates API inputs such as the type parameter to reject or sanitize malicious content before embedding into SVG responses.
Restricts unauthenticated inputs to the dynamic icon endpoint to whitelisted values or formats, limiting opportunities for XSS payload injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated reflected XSS in public-facing web app endpoint enables exploitation of public-facing applications (T1190) and JavaScript execution (T1059.007) in victim browser context for further actions like data exfiltration.
NVD Description
SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoint "GET /api/icon/getDynamicIcon" when type=8, attacker-controlled content is embedded into SVG output without escaping. Because the endpoint is…
more
unauthenticated and returns image/svg+xml, a crafted URL can inject executable SVG/HTML event handlers (for example onerror) and run JavaScript in the SiYuan web origin. This can be chained to perform authenticated API actions and exfiltrate sensitive data when a logged-in user opens the malicious link. This issue has been patched in version 3.5.9.
Deeper analysisAI
SiYuan, a personal knowledge management system, is affected by CVE-2026-29183, an unauthenticated reflected cross-site scripting (XSS) vulnerability in versions prior to 3.5.9. The flaw exists in the dynamic icon API endpoint GET /api/icon/getDynamicIcon when the type parameter is set to 8, where attacker-controlled content is embedded into SVG output without escaping.
The endpoint is unauthenticated and returns content with a media type of image/svg+xml, enabling an attacker to craft a URL that injects executable SVG or HTML event handlers, such as onerror, to execute JavaScript in the context of the SiYuan web origin. Exploitation requires a logged-in user to open the malicious link, after which the attacker can chain the XSS payload with authenticated API actions to exfiltrate sensitive data from the victim's account.
The issue has been patched in SiYuan version 3.5.9. Additional details on the vulnerability and remediation are available in the GitHub Security Advisory at https://github.com/siyuan-note/siyuan/security/advisories/GHSA-6865-qjcf-286f.
Details
- CWE(s)