Scan free
CRITICALCVE-2026-25539CVSS 9.1

CVE-2026-25539: RCE in SiYuan Kernel

Platform

go

Component

github.com/siyuan-note/siyuan/kernel

Fixed in

3.5.6

0.0.1

AI Confidence: highNVDEPSS 0.2%Reviewed: May 2026
View on NVD
Save

CVE-2026-25539 describes a Remote Code Execution (RCE) vulnerability discovered in the SiYuan Kernel, specifically within the /api/file/copyFile endpoint. This flaw allows an attacker to perform arbitrary file writes, potentially leading to complete system compromise. The vulnerability impacts versions of SiYuan Kernel prior to 3.5.5. A fix is available in version 3.5.5.

Go

Detect this CVE in your project

Upload your go.mod file and we'll tell you instantly if you're affected.

Upload go.mod

Impact and Attack Scenarios

The impact of CVE-2026-25539 is severe. Successful exploitation allows an attacker to write arbitrary files to the SiYuan server's filesystem. This can be leveraged to overwrite critical system files, inject malicious code, or gain persistent access to the system. An attacker could potentially execute arbitrary commands with the privileges of the SiYuan process, leading to full system compromise and data exfiltration. The ability to write arbitrary files bypasses typical security controls and represents a significant escalation of privileges.

Exploitation Context

CVE-2026-25539 was publicly disclosed on 2026-02-02. As of this writing, there are no publicly available proof-of-concept exploits. The EPSS score is likely to be medium due to the ease of exploitation once a public POC is available and the critical severity. Monitor security advisories and threat intelligence feeds for updates on exploitation activity.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.23% (46% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H9.1CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredHighAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
High — admin or privileged account required to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentgithub.com/siyuan-note/siyuan/kernel
Vendorosv
Affected rangeFixed in
< 3.5.5 – < 3.5.53.5.6
0.0.0-20260126094835-d5d10dd41b0c0.0.1

Weakness Classification (CWE)

CWE-22

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-25539 is to immediately upgrade SiYuan Kernel to version 3.5.5 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to the /api/file/copyFile endpoint using a web application firewall (WAF) or proxy server. Configure the WAF to block requests with suspicious file paths or extensions. Monitor system logs for unusual file write activity, particularly in sensitive directories. After upgrading, verify the fix by attempting to trigger the file write vulnerability and confirming that the request is rejected.

How to fix

Update SiYuan to version 3.5.5 or later. This version fixes the arbitrary file write vulnerability. The update can be performed through the software's administration interface or by downloading the latest version from the official website.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-25539 — RCE in SiYuan Kernel?

CVE-2026-25539 is a critical Remote Code Execution vulnerability in SiYuan Kernel, allowing attackers to write arbitrary files via the /api/file/copyFile endpoint, potentially leading to system compromise.

Am I affected by CVE-2026-25539 in SiYuan Kernel?

You are affected if you are using SiYuan Kernel versions prior to 3.5.5. Immediately check your version and upgrade if necessary.

How do I fix CVE-2026-25539 in SiYuan Kernel?

Upgrade SiYuan Kernel to version 3.5.5 or later. As a temporary workaround, restrict access to the /api/file/copyFile endpoint using a WAF or proxy.

Is CVE-2026-25539 being actively exploited?

As of now, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants immediate attention and mitigation.

Where can I find the official SiYuan advisory for CVE-2026-25539?

Refer to the official SiYuan project website and GitHub repository for the latest security advisories and updates regarding CVE-2026-25539.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs