GHSA-6865-QJCF-286F

Vulnerability from github – Published: 2026-03-04 21:45 – Updated: 2026-03-06 21:58
VLAI?
Summary
SiYuan: Unauthenticated Reflected XSS via SVG Injection in /api/icon/getDynamicIcon Endpoint
Details

Summary

An unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoint:

  • GET /api/icon/getDynamicIcon

When type=8, attacker-controlled content is embedded into SVG output without escaping. Because the endpoint is unauthenticated and returns image/svg+xml, a crafted URL can inject executable SVG/HTML event handlers (for example onerror) and run JavaScript in the SiYuan web origin.

This can be chained to perform authenticated API actions and exfiltrate sensitive data when a logged-in user opens the malicious link.

Details

The issue is caused by unsafe output construction and incomplete sanitization:

  1. Endpoint is exposed without auth middleware
  2. Source: https://github.com/siyuan-note/siyuan/blob/master/kernel/api/router.go#L27-L37

  3. GET /api/icon/getDynamicIcon is registered in the unauthenticated section.

  4. User input is inserted into SVG via string formatting

  5. Source: https://github.com/siyuan-note/siyuan/blob/master/kernel/api/icon.go#L115-L175
  6. Source: https://github.com/siyuan-note/siyuan/blob/master/kernel/api/icon.go#L537-L585

  7. In generateTypeEightSVG, %s directly injects content into <text>...</text> without XML/HTML escaping.

  8. Sanitizer only removes <script> tags

  9. Source: https://github.com/siyuan-note/siyuan/blob/master/kernel/util/misc.go#L235-L281
  10. RemoveScriptsInSVG removes <script> nodes, but does not remove dangerous attributes (onerror, onload, etc.) or unsafe elements.

As a result, payloads such as </text><image ... onerror=...><text> survive and execute.

PoC

Minimal browser execution PoC

Open this URL in a browser:

GET /api/icon/getDynamicIcon?type=8&content=%3C%2Ftext%3E%3Cimage%20href%3Dx%20onerror%3Dalert(document.domain)%3E%3C%2Fimage%3E%3Ctext%3E

Example full URL:

http://127.0.0.1:6806/api/icon/getDynamicIcon?type=8&content=%3C%2Ftext%3E%3Cimage%20href%3Dx%20onerror%3Dalert(document.domain)%3E%3C%2Fimage%3E%3Ctext%3E

Expected result:

  • JavaScript executes (alert(document.domain)), confirming reflected XSS.

Authenticated impact demonstration

If a victim is authenticated in the same browser session, JavaScript running in origin can call privileged APIs and exfiltrate returned data.

Impact

This is a reflected XSS in an unauthenticated endpoint, with realistic account/data compromise impact:

  • Arbitrary JavaScript execution in SiYuan web origin.
  • Authenticated action abuse via same-origin API calls.
  • Sensitive data exposure (notes/config/API responses) from victim context.
  • Potential chained server-impact actions depending on victim privileges and deployment mode.
Severity ?
9.3 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siyuan-note/siyuan/kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260304034809-d68bd5a79391"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29183"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-04T21:45:10Z",
    "nvd_published_at": "2026-03-06T08:16:27Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nAn unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoint:\n\n- `GET /api/icon/getDynamicIcon`\n\nWhen `type=8`, attacker-controlled `content` is embedded into SVG output without escaping. Because the endpoint is unauthenticated and returns `image/svg+xml`, a crafted URL can inject executable SVG/HTML event handlers (for example `onerror`) and run JavaScript in the SiYuan web origin.\n\nThis can be chained to perform authenticated API actions and exfiltrate sensitive data when a logged-in user opens the malicious link.\n\n### Details\nThe issue is caused by unsafe output construction and incomplete sanitization:\n\n1. **Endpoint is exposed without auth middleware**\n   - Source: https://github.com/siyuan-note/siyuan/blob/master/kernel/api/router.go#L27-L37\n   - `GET /api/icon/getDynamicIcon` is registered in the unauthenticated section.\n\n2. **User input is inserted into SVG via string formatting**\n   - Source: https://github.com/siyuan-note/siyuan/blob/master/kernel/api/icon.go#L115-L175\n   - Source: https://github.com/siyuan-note/siyuan/blob/master/kernel/api/icon.go#L537-L585\n   - In `generateTypeEightSVG`, `%s` directly injects `content` into `\u003ctext\u003e...\u003c/text\u003e` without XML/HTML escaping.\n\n3. **Sanitizer only removes `\u003cscript\u003e` tags**\n   - Source: https://github.com/siyuan-note/siyuan/blob/master/kernel/util/misc.go#L235-L281\n   - `RemoveScriptsInSVG` removes `\u003cscript\u003e` nodes, but does not remove dangerous attributes (`onerror`, `onload`, etc.) or unsafe elements.\n\nAs a result, payloads such as `\u003c/text\u003e\u003cimage ... onerror=...\u003e\u003ctext\u003e` survive and execute.\n\n### PoC\n\n#### Minimal browser execution PoC\nOpen this URL in a browser:\n\n```http\nGET /api/icon/getDynamicIcon?type=8\u0026content=%3C%2Ftext%3E%3Cimage%20href%3Dx%20onerror%3Dalert(document.domain)%3E%3C%2Fimage%3E%3Ctext%3E\n```\n\nExample full URL:\n\n```text\nhttp://127.0.0.1:6806/api/icon/getDynamicIcon?type=8\u0026content=%3C%2Ftext%3E%3Cimage%20href%3Dx%20onerror%3Dalert(document.domain)%3E%3C%2Fimage%3E%3Ctext%3E\n```\n\nExpected result:\n\n- JavaScript executes (`alert(document.domain)`), confirming reflected XSS.\n\n#### Authenticated impact demonstration\nIf a victim is authenticated in the same browser session, JavaScript running in origin can call privileged APIs and exfiltrate returned data.\n\n### Impact\nThis is a reflected XSS in an unauthenticated endpoint, with realistic account/data compromise impact:\n\n- Arbitrary JavaScript execution in SiYuan web origin.\n- Authenticated action abuse via same-origin API calls.\n- Sensitive data exposure (notes/config/API responses) from victim context.\n- Potential chained server-impact actions depending on victim privileges and deployment mode.",
  "id": "GHSA-6865-qjcf-286f",
  "modified": "2026-03-06T21:58:04Z",
  "published": "2026-03-04T21:45:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-6865-qjcf-286f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29183"
    },
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/commit/d68bd5a79391742b3cb2e14d892bdd9997064927"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/siyuan-note/siyuan"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SiYuan: Unauthenticated Reflected XSS via SVG Injection in /api/icon/getDynamicIcon Endpoint"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.