Critical Vulnerability Information Vulnerability Type: Stored XSS / RCE Affected Versions: <=v3.5.3 Fixed Version: v3.5.4 CVE ID: CVE-2026-23852 Severity: High Vulnerability Description Summary - SiYuan contains a stored XSS vulnerability that allows attackers to inject arbitrary HTML attributes into a block’s attribute via the API. If the payload is not rendered in an appropriate context, it may lead to stored XSS and potentially Remote Code Execution (RCE) through dynamic icon features. Details - The endpoint accepts attacker-controlled data in the field. - Static icons are stored within blocks and inserted into HTML attribute contexts when loaded on-demand. If not properly encoded, attackers can exploit specially crafted attributes to execute arbitrary scripts. - This issue is a variant of a previously fixed dynamic icon vulnerability. While the prior fix successfully restricted client-side exploitation, the API endpoint still allows access to the vulnerable sink, making this a bypass/ regression issue. Impact Stored XSS: Any user viewing the affected block will trigger attacker-controlled JavaScript. Desktop RCE: In the desktop application, XSS can be escalated to arbitrary command execution. Attack Prerequisites: Write access to the API and block attributes (either direct write or indirect invocation of function). Exploit Code Example Impact Assessment Stored XSS with potential for remote code execution. Should be treated as a bypass of the fix for #15970 and assigned a new CVE ID.