CNNVD-202601-2992 Information
CNNVD ID
CNNVD-202601-2992
Related CVE
- CNNVD Published: 2026-01-19
Description (Chinese)
SiYuan是SiYuan开源的一个隐私至上的个人知识管理系统。 SiYuan 3.5.4之前版本存在代码注入漏洞,该漏洞源于/api/attr/setBlockAttrs API允许攻击者将任意HTML属性注入块的icon属性,可能导致存储型跨站脚本攻击,在桌面环境中可能导致远程代码执行。
Description (English)
SiYuan is an open-source, private, personal knowledge management system. The pre-SiYuan 3.5.4 version has a code-injecting loophole, which stems from the /api/attr/setBlockAtttrs API that allows the assailant to inject any type of HTML properties into a block of icon properties, which may result in a storage-type cross-site script attack, which may result in remote code execution in the desktop environment.
Hazard Level
Low
Vulnerability Type
代码注入
Affected Vendor
SiYuan
Published
2026-01-19
Last Modified
2026-02-24
References
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-7c6g-g2hx-23vv https://github.com/siyuan-note/siyuan/commit/0be7e1d4e0da9aac0da850b7aeb9b50ede7e5bdb https://access.redhat.com/security/cve/cve-2026-23852
Patch
https://github.com/siyuan-note/siyuan/releases
Share on: