CVE-2026-25539 - Vulnerability Details

- SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE

Description

SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE) by writing to sensitive locations such as cron jobs, SSH authorized_keys, or shell configuration files. This issue has been patched in version 3.5.5.

Published: 2026-02-04

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An authenticated user can invoke the /api/file/copyFile endpoint to write a file to an arbitrary location on the host because the destination path is not validated. This missing path‑validation allows overwriting critical system files such as cron jobs, SSH authorized_keys, or shell configuration files, which can be exploited to execute arbitrary code on the device. The weakness corresponds to Path Traversal (CWE‑22).

Affected Systems

SiYuan, a personal knowledge management system, is affected for all releases prior to version 3.5.5. Any deployment that has authentication enabled and has not upgraded to the patched release remains vulnerable.

Risk and Exploitability

The CVSS base score is 9.1, indicating a high severity vulnerability, but the EPSS score is below 1 %, signifying a very low projected exploitation probability at the present time. The vulnerability is not listed in the CISA KEV catalog. An attacker requires valid authentication and access to the API; once the arbitrary write is achieved, the attacker can place malicious binaries or scripts in system directories where execution is triggered, enabling remote code execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

siyuan-note

siyuan

affected

Version	Status	Constraints
`< 3.5.5`	affected	—

Configuration 1 [-]

cpe:2.3:a:b3log:siyuan:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Siyuan	Siyuan	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade SiYuan to version 3.5.5 or later to apply the official fix.
Disable or restrict access to the /api/file/copyFile endpoint for all users until an upgrade can be performed, or configure the application to limit the destination directory to a safe, non‑critical area.
Ensure file system permissions deny ordinary users write access to critical system directories such as /etc/cron.d, /etc/ssh/authorized_keys, and shell configuration files.
Use file‑system monitoring to detect unexpected writes to protected directories and generate alerts for suspicious activity.

Generated by OpenCVE AI on April 17, 2026 at 23:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-c4jr-5q7w-f6r9	SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00242.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/siyuan-note/siyuan/commit/d7f790755edf8c78d2b4176171e5a0cdcd720feb
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-c4jr-5q7w-f6r9

History

Wed, 11 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		B3log B3log siyuan
CPEs		cpe:2.3:a:b3log:siyuan::::::::
Vendors & Products		B3log B3log siyuan

Thu, 05 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 05 Feb 2026 11:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Siyuan Siyuan siyuan
Vendors & Products		Siyuan Siyuan siyuan

Wed, 04 Feb 2026 22:00:00 +0000

Type	Values Removed	Values Added
Description		SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE) by writing to sensitive locations such as cron jobs, SSH authorized_keys, or shell configuration files. This issue has been patched in version 3.5.5.
Title		SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE
Weaknesses		CWE-22
References		https://github.com/siyuan-note/siyuan/commit/d7f790755edf8c78d2b4176171e5a0cdcd720feb https://github.com/siyuan-note/siyuan/security/advisories/GHSA-c4jr-5q7w-f6r9
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

B3log Siyuan

Siyuan Siyuan

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-04T21:39:12.438Z

Updated: 2026-02-05T18:32:27.657Z

Reserved: 2026-02-02T19:59:47.374Z

Link: CVE-2026-25539

Vulnrichment

Updated: 2026-02-05T18:32:15.638Z

NVD

Status : Analyzed

Published: 2026-02-04T22:16:00.083

Modified: 2026-02-11T19:10:21.850

Link: CVE-2026-25539

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T23:15:30Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object