High severityNVD Advisory· Published Feb 10, 2026· Updated Feb 10, 2026
SiYuan has a File Read Interface Case Bypass Vulnerability
CVE-2026-25992
Description
SiYuan is a personal knowledge management system. Prior to 3.5.5, the /api/file/getFile endpoint uses case-sensitive string equality checks to block access to sensitive files. On case-insensitive file systems such as Windows, attackers can bypass restrictions using mixed-case paths and read protected configuration files. This vulnerability is fixed in 3.5.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/siyuan-note/siyuan/kernelGo | <= 0.0.0-20260126094835-d5d10dd41b0c | — |
Affected products
2- ghsa-coordsRange: <= 0.0.0-20260126094835-d5d10dd41b0c
- Range: < 3.5.5
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-f72r-2h5j-7639ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25992ghsaADVISORY
- github.com/siyuan-note/siyuan/commit/1f02650b3892d2ea3896242dd2422c30bda55e11ghsaWEB
- github.com/siyuan-note/siyuan/releases/tag/v3.5.5ghsax_refsource_MISCWEB
- github.com/siyuan-note/siyuan/security/advisories/GHSA-f72r-2h5j-7639ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.