Vulnerability in SiYuan Personal Knowledge Management System
CVE-2026-25992

7.5HIGH

Key Information:

Vendor: Siyuan-note
Status: Siyuan
Vendor: CVE Published:; 10 February 2026

🔔 Create Siyuan-note Vulnerability Alert

What is CVE-2026-25992?

The SiYuan Personal Knowledge Management System has a vulnerability in its API that could allow unauthorized access to sensitive configuration files. Prior to version 3.5.5, the /api/file/getFile endpoint utilized case-sensitive string equality checks, which can be bypassed on case-insensitive file systems like Windows. Attackers can exploit this flaw by using mixed-case paths to gain access to protected files, which can lead to exposure of sensitive information. The issue has been resolved in version 3.5.5, and users are urged to upgrade to this version to mitigate the risk.

Affected Version(s)

siyuan < 3.5.5

References

https://github.com/siyuan-note/siyuan/security/advisories...

x_refsource_CONFIRM

https://github.com/siyuan-note/siyuan/releases/tag/v3.5.5

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 10, 2026
Vulnerability Reserved
Feb 9, 2026

CVE-2026-25992 Data

JSON