SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Description

SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE) by writing to sensitive locations such as cron jobs, SSH authorized_keys, or shell configuration files. This issue has been patched in version 3.5.5.

Basic Information

ID CVE-2026-25539

Source GitHub_M

Published Feb 4, 2026 at 21:39

Affected Product

Vendor siyuan-note

Product siyuan

Version < 3.5.5

Affected Versions siyuan-note siyuan < 3.5.5

CWE Classification

CWE-22

References

{
    "lastseen": "",
    "description": "SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE) by writing to sensitive locations such as cron jobs, SSH authorized_keys, or shell configuration files. This issue has been patched in version 3.5.5.",
    "published": "2026-02-04T21:39:12.438Z",
    "modified": "2026-02-04T21:39:12.438Z",
    "type": "cve",
    "title": "SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE",
    "source": "GitHub_M",
    "references": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-c4jr-5q7w-f6r9\nhttps://github.com/siyuan-note/siyuan/commit/d7f790755edf8c78d2b4176171e5a0cdcd720feb",
    "id": "CVE-2026-25539",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "siyuan-note siyuan < 3.5.5",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "siyuan",
    "version": "< 3.5.5",
    "vendor": "siyuan-note",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE_CVE-2026-25539