NIXPKGS-2026-0050

published on 20 Jan 2026

Permalink CVE-2026-23851

updated 1 month ago by @LeSuisse Activity log

Created automatic suggestion 1 month ago
@LeSuisse accepted 1 month ago
@LeSuisse published on GitHub 1 month ago

SiYuan Vulnerable to Arbitrary File Read via File Copy Functionality

SiYuan is a personal knowledge management system. Versions prior to 3.5.4 contain a logic vulnerability in the /api/file/globalCopyFiles endpoint. The function allows authenticated users to copy files from any location on the server's filesystem into the application's workspace without proper path validation. The vulnerability exists in the api/file.go source code. The function globalCopyFiles accepts a list of source paths (srcs) from the JSON request body. While the code checks if the source file exists using filelock.IsExist(src), it fails to validate whether the source path resides within the authorized workspace directory. Version 3.5.4 patches the issue.

Affected products

siyuan

==< 3.5.4

Matching in nixpkgs

pkgs.siyuan

Privacy-first personal knowledge management system that supports complete offline usage, as well as end-to-end encrypted data sync

nixos-unstable 3.4.0
- nixpkgs-unstable 3.4.0
- nixos-unstable-small 3.4.0

Package maintainers

@TomaSajt TomaSajt
@L-Trump Luo Chen <ltrump@163.com>

Upstream advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-94c7-g2fj-7682
Upstream patches:
* https://github.com/siyuan-note/siyuan/commit/b2274baba2e11c8cf8901b0c5c871e5b27f1f6dd
* https://github.com/siyuan-note/siyuan/commit/f8f4b517077b92c90c0d7b51ac11be1b34b273ad

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0050

Affected products

Matching in nixpkgs

pkgs.siyuan

Package maintainers