SiYuan note-taking app patches critical XSS flaw that let attackers steal private notes

Security researchers disclosed a critical reflected cross-site scripting vulnerability in SiYuan, a widely used personal knowledge management application, that allowed an unauthenticated attacker to steal private notes and execute arbitrary code in a victim's browser simply by sending them a malicious link.

The vulnerability, tracked as GHSA-6865-qjcf-286f and referenced in advisories under both CVE-2026-2918 and CVE-2026-29183 (sources disagree on the canonical identifier), was rated 9.3 out of 10 on the CVSS 3.1 scale with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N, placing it firmly in the critical tier. The flaw is classified under CWE-79, covering improper neutralization of input during web page generation.

The root cause is a single unguarded API endpoint. SiYuan's GET /api/icon/getDynamicIcon route, which generates SVG text icons, accepts a content query parameter and, when called with type=8, inserts that content directly into an SVG text tag without XML escaping. "When type=8, attacker-controlled content is embedded into SVG output without escaping," advisories stated. Because the endpoint is unauthenticated and the server responds with the Content-Type header image/svg+xml, a browser treats the response as an executable SVG document rather than inert image data.

That distinction is the crux of the attack. SVG files can embed JavaScript through event handlers such as onerror, and because the malicious response executes in SiYuan's own web origin, it inherits full same-origin privileges. "Because the endpoint is unauthenticated and returns image/svg+xml, a crafted URL can inject executable SVG/HTML event handlers (for example onerror) and run JavaScript in the SiYuan web origin," the advisories explained. Proof-of-concept testing confirmed JavaScript execution by triggering alert(document.domain) in the victim's browser.

The practical danger is the chaining step. If the person who clicks the link is logged into SiYuan, the injected script can immediately make authenticated API calls on their behalf. "This can be chained to perform authenticated API actions and exfiltrate sensitive data when a logged-in user opens the malicious link," researchers noted, meaning an attacker could silently harvest notes, configuration data, and API responses without ever needing credentials of their own.

A fix is available, though the exact patched version number varies across advisory sources. Radar Offseq states the issue is patched in SiYuan version 3.5.9, while Miggo Io cites version 3.5.4 and references commit 5c0cc375b47567e15edd2119066b09bb0aa18777, which modifies kernel/api/icon.go to add a sanitization call before the response is sent. "The patch introduces a sanitization step by calling util.RemoveScriptsInSVG(svg) before the SVG is sent in the HTTP response," Miggo Io noted. Vulnerability databases list the fixed Go module pseudo-version as 0.0.0-20260304034809-d68bd5a79391. The discrepancy between the 3.5.4 and 3.5.9 version numbers has not been publicly reconciled; users should verify the correct patched release against SiYuan's official GitHub repository or release notes.

GitHub and the GitLab advisory database both show the vulnerability was first published March 4, 2026, with database entries updated through March 9, 2026.

SiYuan users running unpatched versions should upgrade immediately. Anyone who clicked a suspicious SiYuan-origin link while authenticated should assume their notes and stored data may have been accessed and review available logs accordingly.