Skip to main content

YesWiki CVE-2026-52773

MEDIUM
Basic XSS (CWE-80)
2026-07-09 https://github.com/YesWiki/yeswiki GHSA-35f3-pg38-486f
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Attacker needs no privileges; victim interaction is mandatory; scope changes to browser; no availability impact; AC:L because archived timestamps are publicly discoverable from page history.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 09, 2026 - 21:54 vuln.today

DescriptionGitHub Advisory

Summary

YesWiki's archived-revision view reflects the time GET parameter into a hidden HTML input in handlers/page/show.php without escaping. Because MySQL coerces malformed DATETIME strings, an attacker can append HTML or JavaScript to a valid archived revision timestamp, still load that archived revision, and execute arbitrary JavaScript in the victim's browser.

The vulnerable form is only rendered when the victim can both read and edit the target page. In restricted deployments this requires a victim with read and write access to that page. On a default doryphore 4.6.5 install, public pages such as PagePrincipale were editable anonymously during validation, so the issue can also affect unauthenticated visitors in that configuration.

Details

The request routing path uses the user-controlled time parameter to load a specific page revision. In includes/YesWiki.php around Run() line 1223, the request is routed through:

php
$this->SetPage($this->LoadPage($tag, isset($_REQUEST['time']) ? $_REQUEST['time'] : ''));

LoadPage() delegates to PageManager::getOne() in includes/services/PageManager.php around line 75, which builds a SQL predicate directly from the supplied revision time:

php
$timeQuery = $time ? "time = '{$this->dbService->escape($time)}'" : "latest = 'Y'";

If the loaded page is an archived revision (latest == 'N') and the current user has write access, handlers/page/show.php around lines 43-49 renders an edit form for that archived revision and copies $_GET['time'] into a hidden input without htmlspecialchars():

php
$time = isset($_GET['time']) ? $_GET['time'] : '';
echo $this->FormOpen(testUrlInIframe() ? 'editiframe' : 'edit', '', 'get');
<input type="hidden" name="time" value="<?php echo $time; ?>" />

That sink is reachable only when all of the following are true:

  1. The target page has at least one archived revision.
  2. The victim can read the target page.
  3. The victim can write the target page, because the archived revision edit form is rendered only inside the if ($this->HasAccess('write')) branch.

In practice, the payload must begin with a real archived revision timestamp. A completely invalid time value does not reach the archived branch because YesWiki only updates the current page object when the revision lookup returns a non-empty row.

During local validation on the official doryphore 4.6.5 package, the exploit worked because MySQL accepted a malformed timestamp string as matching an existing archived revision row. For example, the following expression was coerced to the stored revision time:

sql
CAST(CONCAT('2026-05-24 04:30:00', CHAR(34), CHAR(62), CHAR(60), 'script', CHAR(62), 'alert(1)', CHAR(60), '/script', CHAR(62)) AS DATETIME)

and the corresponding query predicate still matched the archived row:

sql
WHERE time = '2026-05-24 04:30:00"><script>alert(1)</script>'

This means a payload can begin with a valid archived revision timestamp, still resolve to the archived revision, and then be reflected unescaped into the hidden HTML field.

For comparison, tools/bazar/handlers/page/show__.php around lines 13-14 escapes the same time value with htmlspecialchars(), which shows that the core handler's behavior is inconsistent and unsafe.

This issue maps to CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

PoC

  1. Set up a vulnerable YesWiki instance. This was validated locally on the official doryphore 4.6.5 release.
  2. Use a target page that has at least one archived revision. Any page with revision history is sufficient.
  3. Confirm the victim has the rights needed to reach the vulnerable sink:
  • The victim must have read access to the page.
  • The victim must have write access to the page.
  • On the default validation install, these rights were available anonymously on public pages such as PagePrincipale, so no login was required in that configuration.
  1. Identify the timestamp of an archived revision. In the validated setup, an archived PagePrincipale revision existed at 2026-05-24 04:30:00.
  2. Send the victim a crafted URL that starts with that valid archived revision timestamp and then appends an attribute-breaking payload:
text
http://127.0.0.1:8085/PagePrincipale?time=2026-05-24%2004:30:00%22%3E%3Cscript%3Ealert(1)%3C/script%3E%3Cinput%20value=%22
  1. Open the URL in a browser as a victim who has the required read and write rights.
  2. Observe that YesWiki still loads the archived revision view and displays the archived-revision warning block, proving the malformed time value matched the stored archived revision.
  3. Inspect the returned HTML. The response contains the injected payload inside the hidden form field:
html
<input type="hidden" name="time" value="2026-05-24 04:30:00"><script>alert(1)</script><input value="" />
  1. The browser executes the injected JavaScript in the YesWiki origin. A simple payload such as alert(1) demonstrates code execution; a real payload could read browser-accessible data or perform actions in the victim's session.

<img width="1600" height="829" alt="image" src="https://github.com/user-attachments/assets/d0b85a7c-2213-4459-908c-969934f06358" />

Impact

This is a reflected XSS vulnerability in the archived-revision workflow.

The practical access model is:

  • The attacker only needs to send a crafted link.
  • The victim must have read and write access to the target page.
  • The target page must have at least one archived revision.
  • On deployments where anonymous visitors can edit public pages, the issue can be exploited against unauthenticated visitors as well.

An attacker may be able to:

  • Execute arbitrary JavaScript in the victim's browser.
  • Steal browser-accessible sensitive data.
  • Perform actions as the victim inside YesWiki.
  • Abuse the trusted YesWiki origin for phishing, UI redressing, or follow-on attacks.

AnalysisAI

Reflected XSS in YesWiki doryphore 4.6.5 allows an attacker to execute arbitrary JavaScript in a victim's browser by exploiting unescaped output of the time GET parameter in the archived-revision edit form at handlers/page/show.php. A working proof-of-concept has been published by the reporter and confirmed against the official package; the attack exploits MySQL's DATETIME coercion to accept a malformed timestamp that begins with a real archived revision value yet appends injected markup, causing the archived-revision branch to render and reflect the payload unescaped. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Browse target page revision history to obtain valid archived timestamp
Delivery
Craft URL appending HTML-breaking XSS payload to timestamp
Exploit
Deliver crafted link to victim with read+write access
Install
Victim browser opens URL
C2
MySQL DATETIME coercion matches archived revision row
Execute
`show.php` renders unescaped `time` value into hidden input
Impact
Injected JavaScript executes in YesWiki origin

Vulnerability AssessmentAI

Exploitation Three specific conditions must hold simultaneously: (1) the target wiki page must have at least one archived revision in its history - a page with no prior edits is not exploitable; (2) the victim must have both `read` and `write` access to the target page, because the vulnerable sink is rendered exclusively inside the `HasAccess('write')` branch in `show.php`; (3) the attacker must know or discover a valid archived revision timestamp for that page, since a fully invalid `time` value does not reach the archived-revision rendering branch. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) accurately reflects a low-complexity, network-reachable reflected XSS with a changed scope but with a required victim interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a YesWiki instance running doryphore 4.6.5 where a public page such as `PagePrincipale` has at least one archived revision and is editable by anonymous visitors. The attacker retrieves a valid archived revision timestamp from the page history, appends URL-encoded HTML breaking characters and a JavaScript payload (`2026-05-24%2004:30:00%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E`), and sends the crafted link to victims via phishing. …
Remediation The upstream fix is a commit to `handlers/page/show.php` that adds `htmlspecialchars()` output encoding to the `$time` variable before rendering it into the hidden HTML input; the patch commit is 35ad9c2bb6cd338198b37c1f745e24bc302a3560 in the YesWiki GitHub repository (https://github.com/YesWiki/yeswiki/commit/35ad9c2bb6cd338198b37c1f745e24bc302a3560). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-52773 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy