What is CVE-2026-23852?

A stored Cross-Site Scripting (XSS) vulnerability in b3log SiYuan prior to version 3.5.4 can allow attackers to inject arbitrary HTML, leading to potential remote code execution. Organizations should prioritize patching to mitigate risks associated with this vulnerability.

What is the severity of CVE-2026-23852?

CVE-2026-23852 has a severity rating of MEDIUM with a CVSS base score of 5.8.

CVE-2026-23852 | Medium Vulnerability in b3log SiYuan

The vulnerability identified as CVE-2026-23852 affects b3log SiYuan, a personal knowledge management system. This vulnerability allows an attacker to exploit a stored Cross-Site Scripting (XSS) flaw present in versions prior to 3.5.4. By injecting arbitrary HTML attributes into the `icon` attribute of a block via the `/api/attr/setBlockAttrs` API, attackers can manipulate the dynamic icon feature, resulting in stored XSS. The implications of this vulnerability extend to remote code execution (RCE) in desktop environments.

The severity level is classified as medium, with a CVSS score of 5.8. This score indicates that while the attack complexity is low and does not require special privileges, successful exploitation could lead to significant impacts, particularly in terms of data integrity and confidentiality. Organizations using affected versions are urged to take immediate action.

Given the nature of the vulnerability, which bypasses previous fixes for a related issue (issue `#15970`), it is critical that organizations prioritize applying the patch available in version 3.5.4. Failure to remediate this vulnerability could expose systems to unnecessary risks.

As of now, no public exploit has been confirmed, and the vulnerability does not appear in the Known Exploited Vulnerabilities (KEV) catalog. However, attackers may leverage this vulnerability if it remains unaddressed.

Organizations should prioritize patching immediately.

Vulnerability Details

The official description states that versions of SiYuan prior to 3.5.4 are vulnerable to a stored XSS issue. The CVSS score of 5.8 indicates that while the attack vector is network-based and requires low complexity, user interaction is essential for exploitation. This vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-94 (Code Injection).

Technical Analysis

The root cause of this vulnerability is the unsanitized rendering of user input within the dynamic icon feature. Attackers can inject malicious scripts that are executed in the context of the user’s session. The attack vector is network-based, requiring no privileges but necessitating user interaction to trigger the XSS. The integrity and confidentiality impacts are high, as attackers could manipulate the application to execute arbitrary code, leading to severe consequences.

Risk & Impact Analysis

The potential risk to organizations includes unauthorized access to sensitive information and execution of malicious code, which can compromise the application and its users. Given the possibility of RCE, the blast radius could encompass not only the application itself but also connected systems. With the CVSS score indicating medium severity, organizations should address this vulnerability in their priority patch cycle.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The vulnerability affects all versions of SiYuan prior to 3.5.4. Organizations should ensure they are running the latest version to mitigate this risk.

Mitigation & Remediation

To remediate this vulnerability, upgrade to SiYuan version 3.5.4 or later. If immediate patching is not feasible, consider implementing web application firewalls (WAF) to filter out malicious payloads. Additionally, organizations should review their input validation processes and ensure that sanitization is performed on all user inputs.

Organizations should validate remediation through penetration testing to identify similar weaknesses.

Detection Guidance

Monitor application logs for any suspicious activities related to the `setBlockAttrs` API. Additionally, look for any unexpected changes in the dynamic icon feature that could indicate exploitation attempts.

AppSecure Threat Intelligence Insight

As organizations continue to adopt knowledge management systems, the implications of vulnerabilities like CVE-2026-23852 highlight the importance of robust security measures. This incident serves as a reminder of the evolving nature of web application threats and reinforces the necessity for regular security assessments.

Security teams should consider reviewing their vulnerability management programs and ensure that they are equipped to handle unforeseen vulnerabilities effectively.

For organizations using cloud platforms, integrating security practices into the development lifecycle is crucial. Consider reviewing the cloud penetration testing guide for tailored security measures.

Finally, organizations may benefit from exploring penetration testing methodologies to strengthen their security posture.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-23852: Medium Vulnerability in b3log SiYuan