CVE-2026-25539

SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE) by writing to sensitive locations such as cron jobs, SSH authorized_keys, or shell configuration files. This issue has been patched in version 3.5.5.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/siyuan-note/siyuan/commit/d7f790755edf8c78d2b4176171e5a0cdcd720feb	Patch
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-c4jr-5q7w-f6r9	Exploit Vendor Advisory
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-c4jr-5q7w-f6r9	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-04 22:16

Updated : 2026-02-11 19:10

NVD link : CVE-2026-25539

Mitre link : CVE-2026-25539

CVE.ORG link : CVE-2026-25539

JSON object : View

Products Affected

b3log

siyuan

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2026-25539", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2026-02-04T22:16:00.083", "references": [{"url": "https://github.com/siyuan-note/siyuan/commit/d7f790755edf8c78d2b4176171e5a0cdcd720feb", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-c4jr-5q7w-f6r9", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-c4jr-5q7w-f6r9", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE) by writing to sensitive locations such as cron jobs, SSH authorized_keys, or shell configuration files. This issue has been patched in version 3.5.5."}, {"lang": "es", "value": "SiYuan es un sistema de gesti\u00f3n de conocimiento personal. Antes de la versi\u00f3n 3.5.5, el endpoint /api/file/copyFile no valida el par\u00e1metro dest, permitiendo a usuarios autenticados escribir archivos en ubicaciones arbitrarias en el sistema de archivos. Esto puede llevar a la Ejecuci\u00f3n Remota de C\u00f3digo (RCE) al escribir en ubicaciones sensibles como trabajos cron, SSH authorized_keys o archivos de configuraci\u00f3n de shell. Este problema ha sido parcheado en la versi\u00f3n 3.5.5."}], "lastModified": "2026-02-11T19:10:21.850", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3141D3B1-ED56-4898-B115-8863570D1D63", "versionEndIncluding": "3.5.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}