CVE-2026-25539

CRITICAL

SiYuan < 3.5.5 - Authenticated Path Traversal and Remote Code Execution via File Copy Endpoint

Title source: llm

Description

SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE) by writing to sensitive locations such as cron jobs, SSH authorized_keys, or shell configuration files. This issue has been patched in version 3.5.5.

References (2)

Core 2

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-c4jr-5q7w-f6r9

Patch x_refsource_misc

https://github.com/siyuan-note/siyuan/commit/d7f790755edf8c78d2b4176171e5a0cdcd720feb

View Patch ZIP pw:eip

Scores

CVSS v3 9.1

EPSS 0.0102

EPSS Percentile 58.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-22

Status published

Products (2)

b3log/siyuan < 3.5.3

siyuan-note/siyuan 0Go

Published Feb 04, 2026

Tracked Since Feb 18, 2026