Skip to main content

YesWiki CVE-2026-52778

| EUVD-2026-35181 CRITICAL
Code Injection (CWE-94)
2026-06-08 GitHub_M
PHP Code Injection Denial Of Service RCE
9.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 08, 2026 - 20:01 EUVD
Source Code Evidence Fetched
Jun 08, 2026 - 19:20 vuln.today
Analysis Generated
Jun 08, 2026 - 19:20 vuln.today

DescriptionNVD

YesWiki is a wiki system written in PHP. Prior to version 4.6.6, an unsafe execution vulnerability exists in the Bazar form field calculator (CalcField.php) of YesWiki. The application attempts to sanitize user-defined mathematical formulas using a complex recursive regular expression before passing them to the PHP eval() function. This implementation is inherently flawed: it is vulnerable to Regular Expression Denial of Service (ReDoS / Stack Overflow) which can crash the server, and it creates a high-risk architecture where any logic bypass directly results in arbitrary PHP code execution. Version 4.6.6 patches the issue.

Articles & Coverage 1

News Critical RCE in YesWiki PHP via Bazar CalcField Eval Injection - CVE-2026-52778 Jun 09, 2026

AnalysisAI

Remote code execution in YesWiki prior to 4.6.6 allows unauthenticated attackers to inject arbitrary PHP via the Bazar CalcField formula evaluator, which sanitizes input with a recursive regex before passing it to eval(). The same flawed regex is also vulnerable to ReDoS/stack overflow, enabling denial of service against the server. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover YesWiki Bazar form with CalcField
Delivery
Craft formula bypassing recursive regex validator
Exploit
Submit form entry over HTTP
Execution
Validator passes payload into eval()
Persist
PHP code executes as web server user
Impact
Establish web shell or exfiltrate data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires a YesWiki instance running a version prior to 4.6.6 with the Bazar module enabled and at least one Bazar form configured to include a CalcField (calculator field) that is reachable by the attacker; the attacker must submit a form entry, which triggers formatValuesBeforeSave on CalcField.php. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) is consistent with the code path: any visitor able to submit a Bazar form entry triggers formatValuesBeforeSave and reaches the vulnerable eval. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated visitor browses to a YesWiki Bazar form that includes a calculator (CalcField) input, submits a crafted formula string designed to slip past the recursive regex validator while still being valid PHP (for example, abusing a tokenization edge case in the operator/function pattern), and triggers formatValuesBeforeSave which calls eval() on the attacker-controlled string - executing arbitrary PHP as the web server user. The same endpoint can alternatively be hit with a deeply nested parenthesized payload to drive the recursive PCRE into a stack overflow and crash the PHP worker, achieving DoS without needing a validator bypass.
Remediation Vendor-released patch: upgrade YesWiki to version 4.6.6 or later, which rewrites CalcField.php to use a tokenizer and recursive-descent parser with an explicit function whitelist instead of eval(); see release https://github.com/YesWiki/yeswiki/releases/tag/v4.6.6 and the fix commit https://github.com/YesWiki/yeswiki/commit/dd2bd8fb099de0d21504bda8a810693b3fcb8e52. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all YesWiki deployments and current versions; implement network access controls restricting Bazar CalcField endpoints to authenticated users; enable enhanced logging on affected systems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48907 CRITICAL
10.0 Jun 05

Unauthenticated remote code execution in the JCE (Joomla Content Editor) extension for Joomla allows attackers to create
CVE-2026-48030 CRITICAL
9.9 Jun 09

Authenticated remote code execution in Pheditor 2.0.1-2.0.3 lets any logged-in user with the default terminal permission
CVE-2026-10777 MEDIUM POC
5.5 Jun 03

Authentication bypass in ealpha072's Student-Management-System PHP application exposes the administrative backend to rem
CVE-2026-11462 MEDIUM POC
5.5 Jun 07

Improper authorization in the BeikeShop e-commerce platform (versions up to 1.6.0.22) allows remote unauthenticated atta
CVE-2026-11474 MEDIUM POC
5.5 Jun 08

Unrestricted file upload in Kushan2k's student-management-system exposes the registration endpoint to unauthenticated re

Share

CVE-2026-52778 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy