Apr 20, 2026·5 min read·17 visits
YesWiki versions prior to 4.6.1 contain a high-severity SQL Injection vulnerability (CWE-89) in the `EntryManager` service. An authenticated attacker can append raw SQL to the `id_fiche` parameter, enabling data exfiltration and database modification.
An authenticated SQL Injection vulnerability exists in the Bazar module of YesWiki. The flaw allows authenticated attackers to execute arbitrary SQL commands via the `id_fiche` parameter, potentially resulting in full database compromise.
YesWiki is an open-source wiki software. The Bazar module extends the wiki with structured data entry capabilities. Within this module, the EntryManager service handles the creation and modification of these entries.
The vulnerability is categorized as CWE-89: Improper Neutralization of Special Elements used in an SQL Command. The application fails to sanitize user-supplied input before embedding it within a database query.
An attacker with basic authenticated access (requiring only acl:{\u0022+\u0022} permissions) can leverage this flaw. By targeting the application programming interface (API) endpoints responsible for entry management, the attacker achieves arbitrary SQL execution against the backend database.
The root cause resides in the handling of HTTP POST requests within the Bazar module's EntryManager service. Specifically, the processing of the id_fiche parameter bypasses standard input sanitization routines.
When an authenticated user submits a request to the /api/entries/{formId} endpoint, the application routes the payload to ApiController::createEntry(). This controller subsequently verifies the entry's existence using the provided id_fiche value.
If the entry is not found, the controller invokes the create() method, which subsequently calls formatDataBeforeSave(). During this formatting phase, the unsanitized id_fiche value is directly concatenated into a raw SQL string.
The resulting query is passed directly to the DbService::loadSingle() method. The backend database executes the concatenated string verbatim, enabling the attacker to alter the query logic.
The specific failure occurs in tools/bazar/services/EntryManager.php at line 704. The $data['id_fiche'] variable is extracted from the incoming request payload and inserted into a SELECT statement.
$result = $this->dbService->loadSingle(
'SELECT MIN(time) as firsttime FROM ' . $this->dbService->prefixTable('pages') .
"WHERE tag='" . $data['id_fiche'] . "'"
);The DbService class provides an escape() method designed to neutralize SQL metacharacters. However, the developer omitted this call when constructing the WHERE clause for the tag column.
The patched version introduces the required escape() call prior to query construction. This modification ensures that malicious input such as single quotes are properly escaped, neutralizing the injection vector.
// Patched implementation
$tag = $this->dbService->escape($data['id_fiche']);
$result = $this->dbService->loadSingle(
'SELECT MIN(time) as firsttime FROM ' . $this->dbService->prefixTable('pages') .
"WHERE tag='" . $tag . "'"
);This fix completely addresses the vulnerability within this function path by ensuring that any injected SQL syntax is treated strictly as a string literal rather than executable code.
Exploitation requires the attacker to possess a valid session token corresponding to an account with basic write permissions. The attacker must construct a crafted POST request targeting the affected API endpoint.
A time-based blind SQL injection attack confirms the vulnerability by forcing the database to sleep. The attacker injects a SLEEP() command into the id_fiche parameter, observing the delayed response from the server.
curl -s -X POST 'http://<TARGET_HOST>/?api/entries/1' \
-H 'Cookie: wikini_session=<VALID_SESSION_ID>' \
-d "antispam=1&bf_titre=TestTitle&id_fiche=' OR SLEEP(3) OR '"Alternatively, an error-based vector extracts data directly via verbose database error messages. By using the extractvalue function, the attacker forces the application to return the database version string within an XPath syntax error.
curl -s -X POST 'http://<TARGET_HOST>/?api/entries/1' \
-H 'Cookie: wikini_session=<VALID_SESSION_ID>' \
-d "antispam=1&bf_titre=TestTitle&id_fiche=' AND extractvalue(1,concat(0x7e,@@version))-- -"Automated exploitation tools like sqlmap can readily process this injection point. By specifying the id_fiche parameter and supplying a valid session cookie, an attacker can extract the entire database schema and contents.
The vulnerability carries a CVSS 3.1 base score of 8.8, reflecting its high severity. The attack vector is strictly network-based, and exploitation requires low complexity.
The primary impact is the complete loss of database confidentiality. An attacker can systematically extract all records, including user credentials, administrative session tokens, and private wiki content.
Database integrity is equally compromised. The attacker can execute UPDATE or INSERT statements, modifying application data or elevating the privileges of their own account.
Availability is impacted if the attacker utilizes denial-of-service queries. Excessive SLEEP commands or computationally expensive joins can exhaust database connection pools, rendering the wiki inaccessible.
The vulnerability is definitively resolved in YesWiki version 4.6.1. System administrators must update their installations to this version or newer to eliminate the attack vector.
If immediate patching is not feasible, administrators can implement Web Application Firewall (WAF) rules. These rules should inspect the POST body of requests to /api/entries/ and block payloads containing SQL meta-characters like --, ', or common SQL functions.
Security teams should audit web server logs for exploitation attempts. The presence of functions like SLEEP(), extractvalue(), or concat() within the id_fiche parameter serves as a strong indicator of compromise.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H| Product | Affected Versions | Fixed Version |
|---|---|---|
yeswiki/yeswiki YesWiki | < 4.6.1 | 4.6.1 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-89 |
| Attack Vector | Network |
| CVSS Score | 8.8 |
| Privileges Required | Low |
| Exploit Status | PoC Available |
| KEV Status | Not Listed |
Improper Neutralization of Special Elements used in an SQL Command
A stored Cross-Site Scripting (XSS) vulnerability exists within plone.restapi, the REST API package for Plone content management system. By supplying a spoofed input MIME type (text/x-html-safe), an attacker can mislead the rendering layer (plone.app.textfield) into assuming that the supplied content is already sanitized. This causes the system to skip the safe_html transform, allowing arbitrary JavaScript to execute in the victim's browser when they view the compromised page.
An untrusted search path vulnerability in the GlobalDatabasePlugin component of the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL allows authenticated, low-privilege database users to hijack administrative session queries. By defining a custom function in a writable schema such as the public schema, an attacker can hijack queries executed automatically during driver-level topology detection. When a highly privileged database user connects to the database utilizing an affected version of the wrapper, the custom function executes under their security context, enabling remote privilege escalation to rds_superuser.
CVE-2026-27771 represents a critical security flaw in Gitea and Forgejo (up to and including version 1.26.1) involving missing authorization checks (CWE-862). Unauthenticated remote attackers can query, enumerate, and download private container images from the OCI-compliant container registry. Additionally, unauthorized users can retrieve private or internal source repository URLs via the Composer package registry metadata API. A public proof-of-concept exists, and threat metrics indicate highly active scanning and exploitation risks.
A missing authorization vulnerability in the Formie plugin for Craft CMS prior to version 3.1.28 allows low-privileged Control Panel users to read and modify sensitive administrative settings, configuration options, and third-party integrations.
CVE-2026-53598 is a directory traversal and arbitrary file read vulnerability in Microsoft Prompty ecosystem loaders across multiple languages. Prior to version 2.0.0-beta.2, the loaders resolved `${file:...}` reference strings inside frontmatter configuration blocks without enforcing that the target file paths resided within authorized directories. This deficiency allows an attacker-controlled configuration file to read sensitive operating system and application files through absolute paths, directory traversal, or symbolic link escapes. The issue is addressed across the Python, C#, Node.js/TypeScript, and Rust ecosystems.
A directory traversal vulnerability exists in the copy subcommand of the proot-distro utility. Due to incomplete path sanitization, local attackers or malicious scripts can read from or write to arbitrary files outside the container rootfs, bypassing isolation barriers and potentially gaining unauthorized access or persistent execution on the host system.