CVE-2026-23851

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.5.4

Description SiYuan is a personal knowledge management system with a logic issue in the /api/file/globalCopyFiles API endpoint. The issue allows authenticated users to copy files from any location on the server’s filesystem into the application’s workspace due to a lack of proper path validation. The vulnerable function, globalCopyFiles, accepts a list of source paths (srcs) from the JSON request body. While the code verifies file existence using filelock.IsExist(src), it does not confirm if the source path is within the authorized workspace directory. The vulnerability resides in the api/file.go source code.

Recommendations Update SiYuan to version 3.5.4 or later.