CVE-2026-29183: SiYuan: Unauthenticated Reflected XSS via SVG Injection in /api/icon/getDynamicIcon Endpoint

March 4, 2026 (updated March 6, 2026)

An unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoint:

GET /api/icon/getDynamicIcon

When type=8, attacker-controlled content is embedded into SVG output without escaping. Because the endpoint is unauthenticated and returns image/svg+xml, a crafted URL can inject executable SVG/HTML event handlers (for example onerror) and run JavaScript in the SiYuan web origin.

This can be chained to perform authenticated API actions and exfiltrate sensitive data when a logged-in user opens the malicious link.

References

github.com/advisories/GHSA-6865-qjcf-286f
github.com/siyuan-note/siyuan
github.com/siyuan-note/siyuan/commit/d68bd5a79391742b3cb2e14d892bdd9997064927
github.com/siyuan-note/siyuan/security/advisories/GHSA-6865-qjcf-286f
nvd.nist.gov/vuln/detail/CVE-2026-29183

Code Behaviors & Features

Detect and mitigate CVE-2026-29183 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →