What is the CVSS score of CVE-2025-46348?

CVE-2025-46348 has a CVSS 3.1 base score of 10.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.4%.

Which versions of Yeswiki are affected by CVE-2025-46348?

Organizations using PHP. face critical risk from CVE-2025-46348, a improper authentication vulnerability rated CVSS 10.0.. A patch is available.

Is there a public PoC exploit available for CVE-2025-46348?

Yes, a public proof-of-concept exploit is available for CVE-2025-46348. Prioritise patching immediately. EPSS: 0.4%.

How to fix or mitigate CVE-2025-46348?

Within 24 hours: Identify all affected systems running PHP. and apply vendor patches immediately. Audit authentication configurations and rotate any potentially compromised credentials.

Yeswiki CVE-2025-46348

CRITICAL

Improper Authentication (CWE-287)

2025-04-29 security-advisories@github.com

Authentication Bypass Yeswiki

10.0

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

10.0 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:39 vuln.today

Patch released

Mar 28, 2026 - 18:39 nvd

Patch available

PoC Detected

May 09, 2025 - 13:58 vuln.today

Public exploit code

CVE Published

Apr 29, 2025 - 21:15 nvd

CRITICAL 10.0

DescriptionGitHub Advisory

YesWiki is a wiki system written in PHP. Prior to version 4.5.4, the request to commence a site backup can be performed and downloaded without authentication. The archives are created with a predictable filename, so a malicious user could create and download an archive without being authenticated. This could result in a malicious attacker making numerous requests to create archives and fill up the file system, or by downloading the archive which contains sensitive site information. This issue has been patched in version 4.5.4.

AnalysisAI

YesWiki is a wiki system written in PHP. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Improper Authentication (CWE-287), which allows attackers to bypass authentication mechanisms to gain unauthorized access. YesWiki is a wiki system written in PHP. Prior to version 4.5.4, the request to commence a site backup can be performed and downloaded without authentication. The archives are created with a predictable filename, so a malicious user could create and download an archive without being authenticated. This could result in a malicious attacker making numerous requests to create archives and fill up the file system, or by downloading the archive which contains sensitive site information. This issue has been patched in version 4.5.4. Affected products include: Yeswiki. Version information: version 4.5.4.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement multi-factor authentication, enforce strong password policies, use proven authentication frameworks.

CVE-2025-46348 vulnerability details – vuln.today

Back

Yeswiki CVE-2025-46348

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code