CVE-2026-25539
Published: 04 February 2026
Summary
CVE-2026-25539 is a critical-severity Path Traversal (CWE-22) vulnerability in B3Log Siyuan. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of the dest parameter to block path traversal and prevent arbitrary file writes on the filesystem.
Enforces logical access controls to restrict authenticated users from writing files to unauthorized locations like cron jobs or SSH keys.
Applies least privilege to limit high-privilege (PR:H) access to the vulnerable endpoint, reducing the attack surface for exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in web API enables arbitrary file writes to sensitive locations including cron jobs (T1053.003), SSH authorized_keys (T1098.004), and shell configs (T1546.004), via exploitation of public-facing application (T1190).
NVD Description
SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE)…
more
by writing to sensitive locations such as cron jobs, SSH authorized_keys, or shell configuration files. This issue has been patched in version 3.5.5.
Deeper analysisAI
CVE-2026-25539 is a path traversal vulnerability (CWE-22) in the /api/file/copyFile endpoint of SiYuan, an open-source personal knowledge management system. In versions prior to 3.5.5, the endpoint fails to properly validate the dest parameter, enabling authenticated users to copy files to arbitrary locations on the server's filesystem. This flaw carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), reflecting its critical potential for high confidentiality, integrity, and availability impacts with changed scope.
An attacker with authenticated access, requiring high privileges (PR:H), can exploit this vulnerability remotely over the network with low complexity and no user interaction. By manipulating the dest parameter, they can write files to sensitive locations such as cron jobs, SSH authorized_keys files, or shell configuration files, potentially leading to remote code execution (RCE) and full server compromise.
The issue has been addressed in SiYuan version 3.5.5, as detailed in the project's GitHub security advisory (GHSA-c4jr-5q7w-f6r9) and the patching commit (d7f790755edf8c78d2b4176171e5a0cdcd720feb). Security practitioners should upgrade to 3.5.5 or later and review access controls for the affected endpoint to mitigate risks.
Details
- CWE(s)