Goal Reached Thanks to every supporter β€” we hit 100%!

Goal: 1000 CNY Β· Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-29183 β€” AI Deep Analysis Summary

CVSS 9.3 Β· Critical

Q1What is this vulnerability? (Essence + Consequences)

🚨 **Essence**: Reflected XSS in SiYuan Note. πŸ“‰ **Consequences**: Arbitrary JS execution, API abuse, and sensitive data leakage via crafted links.

Q2Root Cause? (CWE/Flaw)

πŸ›‘οΈ **Root Cause**: CWE-79. The `/api/icon/getDynamicIcon` endpoint fails to escape attacker-controlled `content` in SVG output. πŸ› **Flaw**: Unsafe rendering logic for `type=8`.

Q3Who is affected? (Versions/Components)

πŸ‘₯ **Affected**: SiYuan Note versions **< 3.5.9**. πŸ“¦ **Component**: Dynamic Icon API endpoint.

Q4What can hackers do? (Privileges/Data)

πŸ’€ **Attacker Actions**: Execute JS in victim's browser. πŸ“‚ **Impact**: Perform authenticated API operations & steal sensitive user data.

Q5Is exploitation threshold high? (Auth/Config)

πŸ”“ **Threshold**: Low. ⚠️ **Auth**: Unauthenticated vector. πŸ–±οΈ **UI**: Requires User Interaction (clicking a malicious link).

Q6Is there a public Exp? (PoC/Wild Exploitation)

πŸ” **Exploit**: Yes. Public PoC available via Nuclei templates. 🌐 **Status**: Wild exploitation possible via crafted URLs.

Q7How to self-check? (Features/Scanning)

πŸ”Ž **Check**: Scan for `/api/icon/getDynamicIcon?type=8`. πŸ§ͺ **Test**: Inject payload into `content` param to trigger SVG rendering.

Q8Is it fixed officially? (Patch/Mitigation)

πŸ› οΈ **Fix**: Upgrade to SiYuan Note **v3.5.9+**. βœ… **Status**: Patched officially (GHSA-6865-qjcf-286f).

Q9What if no patch? (Workaround)

🚧 **Workaround**: If unpatched, restrict access to the icon API endpoint or implement strict input sanitization for SVG content.

Q10Is it urgent? (Priority Suggestion)

⚑ **Priority**: HIGH. 🚨 **Reason**: Unauthenticated, easy to exploit, and leads to data breach. Patch immediately!

Continue exploring

Vulnerability detail Full AI analysis (login) siyuan-note CWE-79