CVE-2026-25992: SiYuan File Read API Case Sensitivity Bypass can Lead to Path Traversal

January 28, 2026 (updated February 10, 2026)

Read sensitive information in configuration files (e.g., access codes, API Tokens, sync configurations, etc.).
Remotely exploitable directly when the service is published without authentication.

References

github.com/advisories/GHSA-f72r-2h5j-7639
github.com/siyuan-note/siyuan
github.com/siyuan-note/siyuan/commit/1f02650b3892d2ea3896242dd2422c30bda55e11
github.com/siyuan-note/siyuan/security/advisories/GHSA-f72r-2h5j-7639
nvd.nist.gov/vuln/detail/CVE-2026-25992

Code Behaviors & Features

Detect and mitigate CVE-2026-25992 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →