Critical severityNVD Advisory· Published Feb 4, 2026· Updated Feb 5, 2026
SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE
CVE-2026-25539
Description
SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE) by writing to sensitive locations such as cron jobs, SSH authorized_keys, or shell configuration files. This issue has been patched in version 3.5.5.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/siyuan-note/siyuan/kernelGo | <= 0.0.0-20260126094835-d5d10dd41b0c | — |
Affected products
1- Range: < 3.5.5
Patches
1d7f790755edf:lock: Fix https://github.com/siyuan-note/siyuan/security/advisories/GHSA-c4jr-5q7w-f6r9
2 files changed · +10 −0
kernel/api/file.go+8 −0 modified@@ -141,6 +141,14 @@ func copyFile(c *gin.Context) { } dest := arg["dest"].(string) + if util.IsSensitivePath(dest) { + msg := fmt.Sprintf("refuse to copy sensitive file [%s]", dest) + logging.LogErrorf(msg) + ret.Code = -2 + ret.Msg = msg + return + } + if err = filelock.Copy(src, dest); err != nil { logging.LogErrorf("copy file [%s] to [%s] failed: %s", src, dest, err) ret.Code = -1
kernel/util/path.go+2 −0 modified@@ -373,6 +373,7 @@ func IsSensitivePath(p string) bool { "/etc/ssh", "/root", "/etc/ssl", + "/etc/cron.d/", "/etc/letsencrypt", "/var/lib/docker", "/.gnupg", @@ -404,6 +405,7 @@ func IsSensitivePath(p string) bool { base := filepath.Base(pp) n := strings.ToLower(base) sensitiveNames := map[string]struct{}{ + ".bashrc": {}, ".env": {}, ".env.local": {}, ".npmrc": {},
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
4- github.com/advisories/GHSA-c4jr-5q7w-f6r9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25539ghsaADVISORY
- github.com/siyuan-note/siyuan/commit/d7f790755edf8c78d2b4176171e5a0cdcd720febghsax_refsource_MISCWEB
- github.com/siyuan-note/siyuan/security/advisories/GHSA-c4jr-5q7w-f6r9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.