CVE-2026-25539 — AI Deep Analysis Summary

🚨 **Essence**: A Path Traversal flaw in SiYuan's `/api/file/copyFile` endpoint. 📉 **Consequences**: Attackers can write files to arbitrary locations, potentially leading to **Remote Code Execution (RCE)**.…

🛡️ **CWE-22**: Improper Limitation of a Pathname to a Restricted Directory. 💥 **Flaw**: The `dest` parameter in the copy API is **not validated**. No sanitization of directory traversal sequences (e.g., `../`).

📦 **Product**: SiYuan (Privacy-first personal knowledge management system). 👥 **Affected**: Versions **prior to 3.5.5**. If you are running <3.5.5, you are vulnerable!

💀 **Hackers' Power**: Can overwrite system files or config files. 🎯 **Goal**: Achieve **Remote Code Execution**. 💾 **Data**: Full read/write access to the file system, bypassing intended sandboxing.

🔐 **Threshold**: **Medium**. Requires **High Privileges (PR:H)** according to CVSS. You likely need to be a logged-in user with sufficient permissions to trigger the API call. Not fully anonymous.

🕵️ **Exploit Status**: **No public PoC** listed in the data. 🌐 **Wild Exploitation**: Unconfirmed. However, the logic flaw is clear, making custom exploits likely possible for skilled attackers.

🔍 **Self-Check**: Scan for SiYuan instances. 🧪 **Test**: Try accessing `/api/file/copyFile` with a `dest` parameter containing `../`. If the server accepts it without error or blocks it improperly, you are at risk.…

✅ **Fixed**: **Yes**. Patch released in **SiYuan 3.5.5**. 📝 **Commit**: `d7f790755edf8c78d2b4176171e5a0cdcd720feb`. 🛡️ **Action**: Update immediately to the latest version.

🚧 **No Patch?**: If you cannot update, **disable external access** to the API. 🚫 **Restrict**: Limit network exposure. Use strong authentication. Monitor logs for suspicious file copy attempts. Treat as critical risk.

🔥 **Urgency**: **HIGH**. 🚨 **Priority**: Patch immediately. CVSS Score is **High** (likely 8.0+ based on vector). RCE potential makes this a top-priority fix for any SiYuan admin.