Skip to main content

CVE-2026-34598

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-01 https://github.com/YesWiki/yeswiki GHSA-37fq-47qj-6j5j
7.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch released
Apr 01, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 01, 2026 - 00:30 vuln.today
CVE Published
Apr 01, 2026 - 00:13 nvd
HIGH 7.1

DescriptionGitHub Advisory

Summary

A stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authentication via a form title that is saved in the backend database. When any user visits that injected page, the JavaScript payload gets executed.

Type: Stored and Blind Cross-Site Scripting (XSS) Affected Component: form title input field Authentication Required: No (Unauthenticated attack possible) Impact: Arbitrary JavaScript execution in victim’s browser

Details

A Stored XSS vulnerability occurs when an application stores malicious user input (in this case, a script injected via the form title field) in its backend database and renders it later on a page viewed by other users without proper sanitization or encoding.

In this case, the attacker can inject JavaScript payloads in the title field of a form, which the application stores in the database. When any user, such as an admin or another visitor, views the page that displays this title, the malicious script executes in their browser context.

PoC

  • Visit https://yeswiki.net/?BazaR&vue=formulaire or localhost/?BazaR&vue=formulaire or

https://ferme.yeswiki.net/[username]/?BazaR&vue=formulaire

  • Click on the + icon to add a record via the Diary form.
  • Inject the payload like: <script>alert(document.cookie)</script> or <script>alert(1)</script> into Name of the event and Description
  • Then save the record by clicking To validate
  • The payload will be executed when anyone visits /?BazaR&vue=consulter also in the diary record

/?wiki=BazaR&vue=consulter&action=recherche&q=&id=2&facette=

The payload is persistant.

AnalysisAI

Stored cross-site scripting (XSS) in YesWiki allows unauthenticated attackers to inject malicious JavaScript through form title fields, achieving persistent code execution in browsers of all users viewing affected pages. The vulnerability requires no authentication and affects the BazaR form component, with publicly available exploit code demonstrating injection via the 'Name of the event' and 'Description' fields. Successful exploitation enables session hijacking, credential theft, and arbitrary actions in victim contexts including administrative users.

Technical ContextAI

YesWiki is a PHP-based wiki and collaborative web application framework distributed via Composer (pkg:composer/yeswiki_yeswiki). This vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), where the application fails to sanitize or encode user-supplied input in form title fields before storing it in the backend database. When the stored data is rendered on pages like /?BazaR&vue=consulter, the browser interprets the malicious script tags as executable code rather than display text. The BazaR module's form handling mechanism lacks proper output encoding, allowing HTML and JavaScript injection to persist across sessions. This is a classic stored XSS attack chain: injection at input → storage in database → unsafe rendering on output → execution in victim browsers. The blind nature means attackers cannot immediately see results but can exfiltrate data to external servers.

RemediationAI

Organizations should immediately consult the official GitHub security advisory at github.com/YesWiki/yeswiki/security/advisories/GHSA-37fq-47qj-6j5j for vendor-provided remediation guidance and patch availability. Upstream fix available (PR/commit); released patched version not independently confirmed from available data, so administrators should monitor the YesWiki GitHub repository for tagged security releases. As an interim mitigation, restrict access to form creation endpoints (/?BazaR&vue=formulaire) using web server access controls or authentication mechanisms to prevent unauthenticated submission. Implement Content Security Policy (CSP) headers with script-src 'self' directive to limit execution of inline JavaScript, though this may require application configuration changes. Database administrators should audit existing form entries for malicious script content by searching for patterns like <script>, javascript:, onerror=, and onload= in form title and description fields, sanitizing any identified payloads. For production environments unable to immediately patch, consider disabling the BazaR module entirely if not mission-critical. Subscribe to security notifications from github.com/advisories/GHSA-37fq-47qj-6j5j for updates on permanent fixes.

Share

CVE-2026-34598 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy