CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-F58V-P6J9-24C2

GHSA-f58v-p6j9-24c2: Authenticated SQL Injection in YesWiki Bazar Module

Amit Schendel
Amit Schendel
Senior Security Researcher

Apr 20, 2026·5 min read·17 visits

Executive Summary (TL;DR)

YesWiki versions prior to 4.6.1 contain a high-severity SQL Injection vulnerability (CWE-89) in the `EntryManager` service. An authenticated attacker can append raw SQL to the `id_fiche` parameter, enabling data exfiltration and database modification.

An authenticated SQL Injection vulnerability exists in the Bazar module of YesWiki. The flaw allows authenticated attackers to execute arbitrary SQL commands via the `id_fiche` parameter, potentially resulting in full database compromise.

Vulnerability Overview

YesWiki is an open-source wiki software. The Bazar module extends the wiki with structured data entry capabilities. Within this module, the EntryManager service handles the creation and modification of these entries.

The vulnerability is categorized as CWE-89: Improper Neutralization of Special Elements used in an SQL Command. The application fails to sanitize user-supplied input before embedding it within a database query.

An attacker with basic authenticated access (requiring only acl:{\u0022+\u0022} permissions) can leverage this flaw. By targeting the application programming interface (API) endpoints responsible for entry management, the attacker achieves arbitrary SQL execution against the backend database.

Root Cause Analysis

The root cause resides in the handling of HTTP POST requests within the Bazar module's EntryManager service. Specifically, the processing of the id_fiche parameter bypasses standard input sanitization routines.

When an authenticated user submits a request to the /api/entries/{formId} endpoint, the application routes the payload to ApiController::createEntry(). This controller subsequently verifies the entry's existence using the provided id_fiche value.

If the entry is not found, the controller invokes the create() method, which subsequently calls formatDataBeforeSave(). During this formatting phase, the unsanitized id_fiche value is directly concatenated into a raw SQL string.

The resulting query is passed directly to the DbService::loadSingle() method. The backend database executes the concatenated string verbatim, enabling the attacker to alter the query logic.

Code Analysis

The specific failure occurs in tools/bazar/services/EntryManager.php at line 704. The $data['id_fiche'] variable is extracted from the incoming request payload and inserted into a SELECT statement.

$result = $this->dbService->loadSingle(
    'SELECT MIN(time) as firsttime FROM ' . $this->dbService->prefixTable('pages') .
    "WHERE tag='" . $data['id_fiche'] . "'"
);

The DbService class provides an escape() method designed to neutralize SQL metacharacters. However, the developer omitted this call when constructing the WHERE clause for the tag column.

The patched version introduces the required escape() call prior to query construction. This modification ensures that malicious input such as single quotes are properly escaped, neutralizing the injection vector.

// Patched implementation
$tag = $this->dbService->escape($data['id_fiche']);
$result = $this->dbService->loadSingle(
    'SELECT MIN(time) as firsttime FROM ' . $this->dbService->prefixTable('pages') .
    "WHERE tag='" . $tag . "'"
);

This fix completely addresses the vulnerability within this function path by ensuring that any injected SQL syntax is treated strictly as a string literal rather than executable code.

Exploitation Methodology

Exploitation requires the attacker to possess a valid session token corresponding to an account with basic write permissions. The attacker must construct a crafted POST request targeting the affected API endpoint.

A time-based blind SQL injection attack confirms the vulnerability by forcing the database to sleep. The attacker injects a SLEEP() command into the id_fiche parameter, observing the delayed response from the server.

curl -s -X POST 'http://<TARGET_HOST>/?api/entries/1' \
  -H 'Cookie: wikini_session=<VALID_SESSION_ID>' \
  -d "antispam=1&bf_titre=TestTitle&id_fiche=' OR SLEEP(3) OR '"

Alternatively, an error-based vector extracts data directly via verbose database error messages. By using the extractvalue function, the attacker forces the application to return the database version string within an XPath syntax error.

curl -s -X POST 'http://<TARGET_HOST>/?api/entries/1' \
  -H 'Cookie: wikini_session=<VALID_SESSION_ID>' \
  -d "antispam=1&bf_titre=TestTitle&id_fiche=' AND extractvalue(1,concat(0x7e,@@version))-- -"

Automated exploitation tools like sqlmap can readily process this injection point. By specifying the id_fiche parameter and supplying a valid session cookie, an attacker can extract the entire database schema and contents.

Impact Assessment

The vulnerability carries a CVSS 3.1 base score of 8.8, reflecting its high severity. The attack vector is strictly network-based, and exploitation requires low complexity.

The primary impact is the complete loss of database confidentiality. An attacker can systematically extract all records, including user credentials, administrative session tokens, and private wiki content.

Database integrity is equally compromised. The attacker can execute UPDATE or INSERT statements, modifying application data or elevating the privileges of their own account.

Availability is impacted if the attacker utilizes denial-of-service queries. Excessive SLEEP commands or computationally expensive joins can exhaust database connection pools, rendering the wiki inaccessible.

Remediation and Detection

The vulnerability is definitively resolved in YesWiki version 4.6.1. System administrators must update their installations to this version or newer to eliminate the attack vector.

If immediate patching is not feasible, administrators can implement Web Application Firewall (WAF) rules. These rules should inspect the POST body of requests to /api/entries/ and block payloads containing SQL meta-characters like --, ', or common SQL functions.

Security teams should audit web server logs for exploitation attempts. The presence of functions like SLEEP(), extractvalue(), or concat() within the id_fiche parameter serves as a strong indicator of compromise.

Official Patches

YesWikiOfficial YesWiki repository where version 4.6.1 is hosted.

Technical Appendix

CVSS Score
8.8/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Systems

YesWiki (Bazar module) installations prior to version 4.6.1

Affected Versions Detail

Product
Affected Versions
Fixed Version
yeswiki/yeswiki
YesWiki
< 4.6.14.6.1
AttributeDetail
CWE IDCWE-89
Attack VectorNetwork
CVSS Score8.8
Privileges RequiredLow
Exploit StatusPoC Available
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
CWE-89
SQL Injection

Improper Neutralization of Special Elements used in an SQL Command

Known Exploits & Detection

GitHub Security AdvisoryAdvisory documenting the time-based blind and error-based SQL injection vectors.
PoC Evidence ImageImage confirming the SLEEP(3) payload execution.

Vulnerability Timeline

Advisory published via GitHub Security Advisory (GHSA-f58v-p6j9-24c2).
2026-04-18
Vulnerability data added to Google OSV database.
2026-04-18
Fixed version 4.6.1 released.
2026-04-18

References & Sources

  • [1]GitHub Security Advisory: GHSA-f58v-p6j9-24c2
  • [2]OSV Entry for GHSA-f58v-p6j9-24c2
  • [3]YesWiki Source Code Repository

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 19 hours ago•GHSA-8RQH-VXPR-X77P
4.3

GHSA-8RQH-VXPR-X77P: Stored Cross-Site Scripting via MIME Type Spoofing in Plone REST API

A stored Cross-Site Scripting (XSS) vulnerability exists within plone.restapi, the REST API package for Plone content management system. By supplying a spoofed input MIME type (text/x-html-safe), an attacker can mislead the rendering layer (plone.app.textfield) into assuming that the supplied content is already sanitized. This causes the system to skip the safe_html transform, allowing arbitrary JavaScript to execute in the victim's browser when they view the compromised page.

Amit Schendel
Amit Schendel
6 views•7 min read
•about 20 hours ago•CVE-2026-11400
8.0

CVE-2026-11400: Privilege Escalation via Untrusted Search Path in AWS Advanced JDBC Wrapper

An untrusted search path vulnerability in the GlobalDatabasePlugin component of the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL allows authenticated, low-privilege database users to hijack administrative session queries. By defining a custom function in a writable schema such as the public schema, an attacker can hijack queries executed automatically during driver-level topology detection. When a highly privileged database user connects to the database utilizing an affected version of the wrapper, the custom function executes under their security context, enabling remote privilege escalation to rds_superuser.

Alon Barad
Alon Barad
7 views•6 min read
•about 21 hours ago•CVE-2026-27771
8.2

CVE-2026-27771: Authentication Bypass and Information Disclosure in Gitea Container and Composer Registries

CVE-2026-27771 represents a critical security flaw in Gitea and Forgejo (up to and including version 1.26.1) involving missing authorization checks (CWE-862). Unauthenticated remote attackers can query, enumerate, and download private container images from the OCI-compliant container registry. Additionally, unauthorized users can retrieve private or internal source repository URLs via the Composer package registry metadata API. A public proof-of-concept exists, and threat metrics indicate highly active scanning and exploitation risks.

Alon Barad
Alon Barad
7 views•7 min read
•about 22 hours ago•GHSA-CVPC-HCCG-WMW4
8.8

GHSA-CVPC-HCCG-WMW4: Missing Authorization in Formie Administrative Settings Allows Privilege Escalation

A missing authorization vulnerability in the Formie plugin for Craft CMS prior to version 3.1.28 allows low-privileged Control Panel users to read and modify sensitive administrative settings, configuration options, and third-party integrations.

Amit Schendel
Amit Schendel
5 views•6 min read
•about 23 hours ago•CVE-2026-53598
7.5

CVE-2026-53598: Arbitrary File Read via File Reference Expansion in Microsoft Prompty

CVE-2026-53598 is a directory traversal and arbitrary file read vulnerability in Microsoft Prompty ecosystem loaders across multiple languages. Prior to version 2.0.0-beta.2, the loaders resolved `${file:...}` reference strings inside frontmatter configuration blocks without enforcing that the target file paths resided within authorized directories. This deficiency allows an attacker-controlled configuration file to read sensitive operating system and application files through absolute paths, directory traversal, or symbolic link escapes. The issue is addressed across the Python, C#, Node.js/TypeScript, and Rust ecosystems.

Amit Schendel
Amit Schendel
7 views•6 min read
•1 day ago•GHSA-MFR4-MQ8W-VMG6
7.3

GHSA-MFR4-MQ8W-VMG6: Path Traversal in proot-distro copy Command Allows Container Escape

A directory traversal vulnerability exists in the copy subcommand of the proot-distro utility. Due to incomplete path sanitization, local attackers or malicious scripts can read from or write to arbitrary files outside the container rootfs, bypassing isolation barriers and potentially gaining unauthorized access or persistent execution on the host system.

Alon Barad
Alon Barad
7 views•7 min read