Home / Vulnerability Intelligence / CVE-2026-29183

CVE-2026-29183 - Vulnerability Analysis

CriticalCVSS: 9.3

Last Updated: March 9, 2026

SiYuan - Reflected XSS

Published: March 6, 2026Updated: March 9, 2026Remote Exploitable

Overview

SiYuan < 3.5.9 contains an unauthenticated reflected XSS caused by improper escaping of attacker-controlled content in the dynamic icon API endpoint GET /api/icon/getDynamicIcon with type=8, letting remote attackers execute JavaScript in the web origin, exploit requires victim to open crafted URL.

Severity & Score

Severity: Critical

CVSS Score: 9.3

EPSS Score: 3.3%(Probability of exploitation in next 30 days)

Impact

Attackers can execute JavaScript in the victim's browser, potentially leading to data exfiltration and unauthorized API actions.

Mitigation

Update to version 3.5.9 or later.

References

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-6865-qjcf-286f

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 6, 2026

🔴 CVE-2026-29183 - Critical (9.3) SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoint "GET /api/icon/getDynamicIcon" when type=8, attacker-controlled content is embedded in... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-29183/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-29183
Severity: Critical
CVSS Score: 9.3
Type: reflected_xss
Status: unconfirmed
EPSS: 3.3%
Social Posts: 1

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

EPSS Score

3.3%Probability of exploitation in the next 30 days