Cyber Posture

CVE-2026-25539

CriticalPublic PoC

Published: 04 February 2026

Published
04 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0024 47.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE)…

more

by writing to sensitive locations such as cron jobs, SSH authorized_keys, or shell configuration files. This issue has been patched in version 3.5.5.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation of the dest parameter to block path traversal and prevent arbitrary file writes on the filesystem.

AC-3 Access Enforcement good match
prevent

Enforces logical access controls to restrict authenticated users from writing files to unauthorized locations like cron jobs or SSH keys.

AC-6 Least Privilege partial match
prevent

Applies least privilege to limit high-privilege (PR:H) access to the vulnerable endpoint, reducing the attack surface for exploitation.

Security SummaryAI

CVE-2026-25539 is a path traversal vulnerability (CWE-22) in the /api/file/copyFile endpoint of SiYuan, an open-source personal knowledge management system. In versions prior to 3.5.5, the endpoint fails to properly validate the dest parameter, enabling authenticated users to copy files to arbitrary locations on the server's filesystem. This flaw carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), reflecting its critical potential for high confidentiality, integrity, and availability impacts with changed scope.

An attacker with authenticated access, requiring high privileges (PR:H), can exploit this vulnerability remotely over the network with low complexity and no user interaction. By manipulating the dest parameter, they can write files to sensitive locations such as cron jobs, SSH authorized_keys files, or shell configuration files, potentially leading to remote code execution (RCE) and full server compromise.

The issue has been addressed in SiYuan version 3.5.5, as detailed in the project's GitHub security advisory (GHSA-c4jr-5q7w-f6r9) and the patching commit (d7f790755edf8c78d2b4176171e5a0cdcd720feb). Security practitioners should upgrade to 3.5.5 or later and review access controls for the affected endpoint to mitigate risks.

Details

CWE(s)
CWE-22

Affected Products

b3log
siyuan
≤ 3.5.3

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1053.003 Cron Execution
Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code.
attack.mitre.org →
T1098.004 SSH Authorized Keys Persistence
Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host.
attack.mitre.org →
T1546.004 Unix Shell Configuration Modification Privilege Escalation
Adversaries may establish persistence through executing malicious commands triggered by a user’s shell.
attack.mitre.org →
Why these techniques?

Path traversal in web API enables arbitrary file writes to sensitive locations including cron jobs (T1053.003), SSH authorized_keys (T1098.004), and shell configs (T1546.004), via exploitation of public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References