NIXPKGS-2026-0105

GitHub issue published on 5 Feb 2026

Permalink CVE-2026-25539

updated 2 weeks, 2 days ago by @LeSuisse Activity log

Created automatic suggestion 2 weeks, 2 days ago
@LeSuisse accepted 2 weeks, 2 days ago
@LeSuisse published on GitHub 2 weeks, 2 days ago

SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE

SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE) by writing to sensitive locations such as cron jobs, SSH authorized_keys, or shell configuration files. This issue has been patched in version 3.5.5.

Affected products

siyuan

==< 3.5.5

Matching in nixpkgs

pkgs.siyuan

Privacy-first personal knowledge management system that supports complete offline usage, as well as end-to-end encrypted data sync

nixos-unstable 3.5.4-dev4
- nixpkgs-unstable 3.5.4-dev4
- nixos-unstable-small 3.5.4
nixos-25.11 3.5.4
- nixos-25.11-small 3.5.4
- nixpkgs-25.11-darwin 3.5.4-dev4

Package maintainers

@TomaSajt TomaSajt
@L-Trump Luo Chen <ltrump@163.com>

Upstream advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-c4jr-5q7w-f6r9
Upstream patch: https://github.com/siyuan-note/siyuan/commit/d7f790755edf8c78d2b4176171e5a0cdcd720feb

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0105

Affected products

Matching in nixpkgs

pkgs.siyuan

Package maintainers