CVE-2026-25539
published 2026-02-04CVE-2026-25539: SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest parameter, allowing…
PriorityP351high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
1.02%
59.0th percentile
SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE) by writing to sensitive locations such as cron jobs, SSH authorized_keys, or shell configuration files. This issue has been patched in version 3.5.5.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| b3log | siyuan | <= 3.5.3 | — |
| github.com | siyuan-note_siyuan_kernel | 0 – 0.0.0-20260126094835-d5d10dd41b0c | — |
| siyuan-note | siyuan | < 3.5.5 | 3.5.5 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE in github.com/siyuan-note/siyuan/kernel
osv·2026-02-02
CVE-2026-25539 SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE in github.com/siyuan-note/siyuan/kernel
SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE in github.com/siyuan-note/siyuan/kernel
SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE in github.com/siyuan-note/siyuan/kernel
OSV
SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE
osv·2026-01-29
CVE-2026-25539 [CRITICAL] SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE
SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE
## Summary
The `/api/file/copyFile` endpoint does not validate the `dest` parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE) by writing to sensitive locations such as cron jobs, SSH authorized_keys, or shell configuration files.
- Affected Version: 3.5.3 (and likely all prior versions)
## Details
- Type: Improper Limitation of a Pathname to a Restricted Directory (CWE-22)
- Location: `kernel/api/file.go` - copyFile function
```go
// kernel/api/file.go lines 94-139
func copyFile(c *gin.Context) {
// ...
src := arg["src"].(string)
src, err := model.GetAssetAbsPath(src) // src is validated
// ...
dest := arg["dest"].(string) //
GHSA
SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE
ghsa·2026-01-29
CVE-2026-25539 [CRITICAL] CWE-22 SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE
SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE
## Summary
The `/api/file/copyFile` endpoint does not validate the `dest` parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE) by writing to sensitive locations such as cron jobs, SSH authorized_keys, or shell configuration files.
- Affected Version: 3.5.3 (and likely all prior versions)
## Details
- Type: Improper Limitation of a Pathname to a Restricted Directory (CWE-22)
- Location: `kernel/api/file.go` - copyFile function
```go
// kernel/api/file.go lines 94-139
func copyFile(c *gin.Context) {
// ...
src := arg["src"].(string)
src, err := model.GetAssetAbsPath(src) // src is validated
// ...
dest := arg["dest"].(string) //
No detection rules found.
No public exploits indexed.
2026-02-04
Published