CVE-2026-25539: SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE

January 29, 2026 (updated February 3, 2026)

The /api/file/copyFile endpoint does not validate the dest parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE) by writing to sensitive locations such as cron jobs, SSH authorized_keys, or shell configuration files.

Affected Version: 3.5.3 (and likely all prior versions)

References

github.com/advisories/GHSA-c4jr-5q7w-f6r9
github.com/siyuan-note/siyuan
github.com/siyuan-note/siyuan/commit/d7f790755edf8c78d2b4176171e5a0cdcd720feb
github.com/siyuan-note/siyuan/security/advisories/GHSA-c4jr-5q7w-f6r9
nvd.nist.gov/vuln/detail/CVE-2026-25539

Code Behaviors & Features

Detect and mitigate CVE-2026-25539 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →