Cyber Resilience

CVE-2026-25539

CriticalPublic PoC

Published: 04 February 2026

Published
04 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0102 58.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25539 is a critical-severity Path Traversal (CWE-22) vulnerability in B3Log Siyuan. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-25539 is a path traversal vulnerability (CWE-22) in the /api/file/copyFile endpoint of SiYuan, an open-source personal knowledge management system. In versions prior to 3.5.5, the endpoint fails to properly validate the dest parameter, enabling authenticated users to copy files to arbitrary locations on the server's filesystem. This flaw carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), reflecting its critical potential for high confidentiality, integrity, and availability impacts with changed scope.

An attacker with authenticated access, requiring high privileges (PR:H), can exploit this vulnerability remotely over the network with low complexity and no user interaction. By manipulating the dest parameter, they can write files to sensitive locations such as cron jobs, SSH authorized_keys files, or shell configuration files, potentially leading to remote code execution (RCE) and full server compromise.

The issue has been addressed in SiYuan version 3.5.5, as detailed in the project's GitHub security advisory (GHSA-c4jr-5q7w-f6r9) and the patching commit (d7f790755edf8c78d2b4176171e5a0cdcd720feb). Security practitioners should upgrade to 3.5.5 or later and review access controls for the affected endpoint to mitigate risks.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE)…

more

by writing to sensitive locations such as cron jobs, SSH authorized_keys, or shell configuration files. This issue has been patched in version 3.5.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1053.003 Cron Execution
Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code.
T1098.004 SSH Authorized Keys Persistence
Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host.
T1546.004 Unix Shell Configuration Modification Privilege Escalation
Adversaries may establish persistence through executing malicious commands triggered by a user’s shell.
Why these techniques?

Path traversal in web API enables arbitrary file writes to sensitive locations including cron jobs (T1053.003), SSH authorized_keys (T1098.004), and shell configs (T1546.004), via exploitation of public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33670Same product: B3Log Siyuan
CVE-2026-23850Same product: B3Log Siyuan
CVE-2026-25992Same product: B3Log Siyuan
CVE-2026-30869Same product: B3Log Siyuan
CVE-2026-33476Same product: B3Log Siyuan
CVE-2026-32749Same product: B3Log Siyuan
CVE-2026-32938Same product: B3Log Siyuan
CVE-2026-34605Same product: B3Log Siyuan
CVE-2026-34453Same product: B3Log Siyuan
CVE-2025-21609Same product: B3Log Siyuan

Affected Assets

b3log
siyuan
≤ 3.5.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the dest parameter to block path traversal and prevent arbitrary file writes on the filesystem.

prevent

Enforces logical access controls to restrict authenticated users from writing files to unauthorized locations like cron jobs or SSH keys.

prevent

Applies least privilege to limit high-privilege (PR:H) access to the vulnerable endpoint, reducing the attack surface for exploitation.

References