CVE-2025-67488HIGH 8.8EPSS p28.4%

CVE-2025-67488CVE-2025-67488

Description

SiYuan is self-hosted, open source personal knowledge management software. Versions 0.0.0-20251202123337-6ef83b42c7ce and below contain function importZipMd which is vulnerable to ZipSlips, allowing an authenticated user to overwrite files on the system. An authenticated user with access to the import functionality in notes is able to overwrite any file on the system, and can escalate to full code execution under some circumstances. A fix is planned for version 3.5.0.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.37% probability of exploitation · percentile 28.4% · 2026-06-19T12:03:05Z
Published2025-12-09
Last modified2026-01-30

Underlying weaknesses· 1

CWE-22

References

  1. https://github.com/siyuan-note/siyuan/blob/dae6158860cc704e353454565c96e874278c6f47/kernel/api/import.go#L190
  2. https://github.com/siyuan-note/siyuan/security/advisories/GHSA-gqfv-g4v7-m366

1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-21609
CVE
CVE-2026-32749
CVE
CVE-2025-68948
CVE
CVE-2026-34585
CVE
CVE-2026-44586
CVE
CVE-2026-30869
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.