YesWiki CVE-2026-52775
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network API reachable with a self-service low-privilege account (PR:L), no user interaction, and unparameterized SQL yields full DB read/write, so C/I/A all High.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionGitHub Advisory
Summary
YesWiki through the latest development branch contains a SQL injection vulnerability in ReactionManager::deleteUserReaction() that allows any authenticated user to inject arbitrary SQL via the {idreaction} and {id} URL path parameters. The parameters are concatenated directly into a SQL LIKE clause without escaping or parameterization.
This is a sibling of CVE-2026-46670 (unauthenticated SQLi in FormManager::create()). Both share the same root cause - raw string concatenation into SQL queries - but exist in different components.
Root Cause
includes/controllers/ApiController.php line 726:
/**
* @Route("/api/reactions/{idreaction}/{id}/{page}/{username}", methods={"DELETE"}, options={"acl":{"+"}})
*/ACL "+" = any authenticated user. Parameters flow into ReactionManager::deleteUserReaction() → TripleStore::delete() with raw string concatenation into SQL LIKE clause (line 356).
The if branch (lines 340-354) properly uses $this->dbService->escape(). The else branch does not - the developer applied escaping to one code path but not the other.
PoC
DELETE /wiki/?api/reactions/x%27%20OR%201=1%20OR%20value%20LIKE%20%27/test/SomePage/attacker
Host: localhost:8085
Cookie: <session cookie>Time-based blind variant via {id} parameter for data exfiltration.
Impact
Full database read/write. Any self-registered user can extract yeswiki_users password hashes and emails.
Suggested Fix
Apply $this->dbService->escape() to all parameters in the else branch, matching the if branch pattern. Also audit all TripleStore::delete() callers that pass $extraSQL.
Credits
Kai Aizen / SnailSploit
AnalysisAI
{idreaction} and {id} URL path parameters, which are concatenated directly into a LIKE clause. Because YesWiki permits open self-registration, the practical barrier is minimal, and the flaw grants full database read/write - including extraction of yeswiki_users password hashes and emails. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated session on the target YesWiki instance (route ACL '+' = any logged-in user, matching CVSS PR:L); no admin or elevated role is needed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 8.8) is internally consistent with the description: network-reachable, low complexity, requiring only low-privilege authentication, with high impact across confidentiality, integrity, and availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker self-registers a normal account on an internet-facing YesWiki instance, authenticates, then sends a crafted DELETE request to /wiki/?api/reactions/{idreaction}/{id}/... with SQL payload injected into the path parameters (e.g. … |
| Remediation | Upstream fix available (commit 90ca54fb518e1c43a1ead6e4f5bf9f0389789841); a released patched version tag was not independently confirmed in the provided data, so apply the fix by updating to the patched commit/branch referenced in advisory GHSA-4pf7-cc4r-g63h (https://github.com/YesWiki/yeswiki/security/advisories/GHSA-4pf7-cc4r-g63h). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: enumerate all YesWiki deployments and document version numbers. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-4pf7-cc4r-g63h