A critical unauthenticated reflected cross-site scripting (XSS) vulnerability in SiYuan allows remote attackers to execute arbitrary JavaScript and exfiltrate sensitive user data.

This flaw exists in the GET /api/icon/getDynamicIcon endpoint when the type parameter is set to 8. An unauthenticated attacker can provide malicious content that is embedded into an SVG output without proper escaping, leading to JavaScript execution in the context of the user's web session.

A successful exploit allows an attacker to perform actions on behalf of a logged-in user, potentially leading to the full compromise of the personal knowledge management system. With a CVSS score of 9.3, the risk is critical as it can result in the exfiltration of sensitive private notes, research, and authentication tokens, causing significant privacy breaches and data loss.

Immediate Action: Administrators and individual users must update SiYuan to version 3.5.9 or later immediately to patch the vulnerable API endpoint.

Proactive Monitoring: Security teams should review web server logs for suspicious requests to the /api/icon/getDynamicIcon endpoint, specifically looking for unusual characters or script tags in the query parameters.

Compensating Controls: Implementing a strict Content Security Policy (CSP) that restricts script execution and object-src can help mitigate the impact of XSS vulnerabilities if updates cannot be applied instantly.

Public Exploit Available: false

The severity of this reflected XSS vulnerability cannot be overstated given its unauthenticated nature and the sensitive data typically stored within SiYuan. It is highly recommended that all users apply the version 3.5.9 update immediately to protect their data from unauthorized exfiltration and session hijacking.