NIXPKGS-2026-0053

published on 20 Jan 2026

Permalink CVE-2026-23852

updated 1 month ago by @LeSuisse Activity log

Created automatic suggestion 1 month ago
@LeSuisse accepted 1 month ago
@LeSuisse published on GitHub 1 month ago

SiYuan vulnerable to Stored XSS / RCE via `setBlockAttrs` icon attribute

SiYuan is a personal knowledge management system. Versions prior to 3.5.4 have a stored Cross-Site Scripting (XSS) vulnerability that allows an attacker to inject arbitrary HTML attributes into the `icon` attribute of a block via the `/api/attr/setBlockAttrs` API. The payload is later rendered in the dynamic icon feature in an unsanitized context, leading to stored XSS and, in the desktop environment, potential remote code execution (RCE). This issue bypasses the previous fix for issue `#15970` (XSS → RCE via dynamic icons). Version 3.5.4 contains an updated fix.

Affected products

siyuan

==< 3.5.4

Matching in nixpkgs

pkgs.siyuan

Privacy-first personal knowledge management system that supports complete offline usage, as well as end-to-end encrypted data sync

nixos-unstable 3.4.0
- nixpkgs-unstable 3.4.0
- nixos-unstable-small 3.4.0

Package maintainers

@TomaSajt TomaSajt
@L-Trump Luo Chen <ltrump@163.com>

Upstream patch: https://github.com/siyuan-note/siyuan/commit/0be7e1d4e0da9aac0da850b7aeb9b50ede7e5bdb
Upstream advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-7c6g-g2hx-23vv

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0053

Affected products

Matching in nixpkgs

pkgs.siyuan

Package maintainers