CVE-2026-25992

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.5.5

Description The /api/file/getFile endpoint uses case-sensitive string equality checks to block access to sensitive files. On case-insensitive file systems, such as Windows, attackers can bypass these restrictions using mixed-case paths and read protected configuration files. This can lead to the disclosure of sensitive information, including access codes, API Tokens, and sync configurations. The issue is remotely exploitable when the service is published without authentication. The root cause is path comparison using strict case-sensitive string matching without case normalization or identical file validation. The vulnerable parameter is path in the request to the /api/file/getFile endpoint.

Recommendations Versions prior to 3.5.5 should be updated to version 3.5.5 or later. Normalize path casing before comparison on Windows and macOS. Use file-level comparison methods such as os.SameFile. Apply blacklist validation on sensitive paths after case normalization.