YesWiki CVE-2026-52777
CRITICALSeverity by source
Network CSRF delivery (AV:N, PR:N) needs an authenticated admin victim to visit the page (UI:R) plus a working gadget chain (AC:H); RCE escapes the app to the host (S:C) with full C/I/A impact.
Lifecycle Timeline
1DescriptionCVE.org
Details
Sink
tools/bazar/services/CSVManager.php line 372-399:
public function importEntry(array $importedEntries, string $formId): ?array
{
if (!$this->importdone) {
// ...
foreach ($importedEntries as $entry) {
$entry = unserialize(base64_decode($entry)); // <-- SINK
$entry = array_map('strval', $entry);
// ...There is no ['allowed_classes' => false] argument; arbitrary classes are instantiated. The subsequent array_map('strval', $entry) additionally exercises __toString on each top-level array element, doubling the magic-method surface available to a gadget chain.
Source
tools/bazar/actions/BazarImportAction.php:
// formatArguments()
'mode' => (isset($_POST['submit_file']) && !empty($_FILES['fileimport']['name'])) ? 'submitfile' :
(isset($_POST['importfiche']) ? 'importentries' : 'default'),
'importentries' => $_POST['importfiche'] ?? null,
// run()
case 'importentries':
// ...
$importedEntries = $this->CSVManager->importEntry($this->arguments['importentries'], $vID['id']);
break;$_POST['importfiche'] flows directly to the sink. The mode switches to 'importentries' whenever the request body contains the key, so an attacker need only POST importfiche[0]=<payload>.
Reachability
- The action is registered as
bazarimport. The defaultBazaRpage (setup/sql/default-content.sql->BazaRpage entry, ships with{{bazar showexportbuttons="1"}}) routes?BazaR&vue=importer&id_typeannonce=<N>toBazarAction::run()->case VOIR_IMPORTER -> callAction('bazarimport', ...)(tools/bazar/actions/BazarAction.php:257-258). So the sink is reachable on a default install with no extra page authoring. BazarImportAction::run()calls$this->checkSecuredACL()with the default$adminOnly=true. Only wiki admins (or accounts the admin has added to thebazarimportaction ACL) can execute it.- The
importentriesbranch does NOT invokeCsrfTokenController::checkToken(...). Greppingtools/bazar/actions/BazarImportAction.phpconfirms the action class has nocsrforcheckTokenreference at all. This is asymmetric with sibling actions:tools/bazar/controllers/FormController.phpdoes callcheckToken('main', 'POST', 'confirmDeleteToken')for destructive operations. The import path skips the same protection. - Therefore the full kill chain for a remote attacker is:
a. Identify any admin user on the target wiki. b. Deliver an HTML page (email, chat, link) that auto-POSTs importfiche[0]=<base64-encoded PHPGGC payload> to https://<wiki>/?BazaR&vue=importer&id_typeannonce=1. c. The admin's session cookie is sent automatically; the action passes checkSecuredACL; the unserialize fires.
Gadget chain availability
composer.json requires doctrine/annotations ^1.11 and doctrine/cache ^1.10. Both have published PHPGGC chains (Doctrine/RCE1, Doctrine/FW1, Doctrine/FW2, etc., from https://github.com/ambionics/phpggc). These chains terminate in either system($cmd) (RCE1) or file_put_contents($php_file, $contents) (FW1) entry-points -- both sufficient to give the attacker shell on the YesWiki host.
This advisory does not include a working PHPGGC chain end-to-end (writing a chain that survives YesWiki's exact dependency-resolved class graph is separate work). The PoC demonstrates the primitive (attacker-controlled class instantiation + magic-method execution); the chain is a downstream exercise using public tooling.
Past advisories cross-check
YesWiki's published GitHub advisories cover XSS, SQLi, arbitrary-PHP-file-write RCE, path traversal, and unauthenticated backup download. None covers an unserialize / PHP-object-injection sink, so this is a novel vulnerability class for the project.
PoC
A self-contained PoC reproducing the inner loop is available; it copies the exact two-line sink and proves that attacker-controlled __destruct runs without booting the full application.
Run:
php poc.phpOutput (verbatim):
Crafted importfiche[0] payload (form-ready, urlencoded):
YToxOntpOjA7Tzo2OiJHYWRnZXQiOjE6e3M6NjoibWFya2VyIjtzOjIyOiJQV05FRC1GUk9NLVVOU0VSSUFMSVpFIjt9fQ%3D%3D
== before importEntry ==
[Gadget] __destruct fired with marker='PWNED-FROM-UNSERIALIZE'
PHP Fatal error: Uncaught Error: Object of class Gadget could not be converted to string ...
[Gadget] __destruct fired with marker='PWNED-FROM-UNSERIALIZE'The two [Gadget] __destruct fired lines (one from inside the loop, one from the engine shutdown after the TypeError) confirm that the attacker-defined Gadget::__destruct executed -- with the attacker-supplied marker -- inside the unmodified importEntry code path.
End-to-end against a live YesWiki install:
curl -i -b "yeswiki_session=<admin_cookie>" \
-X POST "https://wiki.example.com/?BazaR&vue=importer&id_typeannonce=1" \
--data-urlencode \
"importfiche[0]=YToxOntpOjA7Tzo2OiJHYWRnZXQiOjE6e3M6NjoibWFya2VyIjtzOjIyOiJQV05FRC1GUk9NLVVOU0VSSUFMSVpFIjt9fQ=="(replace the payload with a real PHPGGC Doctrine/FW1 or Doctrine/RCE1 output to obtain RCE on the target host).
Impact
- Authenticated wiki admin who lands on attacker-controlled HTML obtains remote code execution on the YesWiki server (via the cross-site forgery path; no admin interaction with the import UI is required).
- An attacker who has already compromised an admin password upgrades from "wiki content management" to "OS shell on the hosting box".
- The compromise survives the wiki layer entirely: the attacker can write web shells, exfiltrate other sites on shared hosting, modify
wakka.config.php, dump the MySQL database, and pivot from there.
Suggested fix
tools/bazar/services/CSVManager.php::importEntry-- pass['allowed_classes' => false]tounserialize, or, better, replace the base64+serialize transport with the JSON transport the current UI already uses (?api/entries/{formId}POST intools/bazar/presentation/javascripts/bazar-import.js). The serialized-PHP transport appears to be an unused legacy path.tools/bazar/actions/BazarImportAction.php-- add aCsrfTokenController::checkToken('main', 'POST', 'csrf-token', false)guard for the'importentries'mode (and any other state-changing modes). The existingtools/bazar/controllers/FormController.phppattern can be lifted directly.
Articles & Coverage 1
AnalysisAI
PHP object injection in YesWiki's BazaR import feature allows an attacker to reach an unsafe unserialize() sink in tools/bazar/services/CSVManager.php, where attacker-supplied base64 data is deserialized without allowed_classes=false, instantiating arbitrary classes and triggering magic methods (__destruct, and __toString via array_map('strval')). Because the importentries mode lacks CSRF protection (the assigned root cause CWE-352), a remote attacker can host an auto-POSTing HTML page that, when visited by a logged-in wiki admin, drives the deserialization using the admin's session - chaining published Doctrine PHPGGC gadgets into remote code execution on the host. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a YesWiki install where the BazaR tool is present (default installs ship the BazaR page and route ?BazaR&vue=importer, so no special page authoring is needed) and an authenticated administrator (or an account added to the bazarimport action ACL, enforced by checkSecuredACL with default $adminOnly=true) who is currently logged in and can be induced to visit an attacker-controlled web page - the missing CSRF token on the importentries mode is the specific enabling condition. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS score or vector was provided by the source (CVSS: N/A), so exploitability metrics are inferred, not authoritative - authentication requirements cannot be confirmed from a vendor-supplied vector. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts an HTML page that auto-submits a POST containing importfiche[0]=<base64 PHPGGC Doctrine payload> to https://victim-wiki/?BazaR&vue=importer&id_typeannonce=1 and delivers the link to a YesWiki administrator by email or chat. When the logged-in admin opens the page, their session cookie is sent automatically, checkSecuredACL passes, and the unserialize() instantiates the gadget chain, running system()- or file_put_contents()-based code to drop a web shell on the host. … |
| Remediation | Upstream fix available (commit); released patched version not independently confirmed - apply the fix in commit https://github.com/YesWiki/yeswiki/commit/8f70a8d6b8befa0e644d03c785701dbbc55b8fd0 and follow GHSA-9369-69wj-7m2f (https://github.com/YesWiki/yeswiki/security/advisories/GHSA-9369-69wj-7m2f), mapping the commit to its tagged release before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all YesWiki instances and review administrator activity logs; publicly available proof-of-concept code exists for the underlying object-injection vector. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-9369-69wj-7m2f