Description
YesWiki is a wiki system written in PHP. Prior to version 4.6.0, a stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authentication via a form title that is saved in the backend database. When any user visits that injected page, the JavaScript payload gets executed. This issue has been patched in version 4.6.0.
Published: 2026-04-02
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Blind Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

A stored and blind cross‑site scripting flaw exists in the form title field of YesWiki, allowing an unauthenticated attacker to inject JavaScript that is subsequently executed when any user opens the affected page. This can lead to client‑side code execution, facilitating cookie theft, session hijacking, defacement, or redirection to malicious sites.

Affected Systems

The vulnerability affects all YesWiki installations running versions prior to 4.6.0. Users of YesWiki older than the v4.6.0 release are at risk, while installations updated to 4.6.0 or later are safe.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high severity, and the EPSS score of less than 1 percent suggests a low probability of exploitation in the wild. Since the flaw can be triggered without authentication, an attacker only needs to create a malicious form title and await a victim to open the page. The issue is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 10, 2026 at 17:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade YesWiki to version 4.6.0 or later.
  • Confirm that the upgrade successfully applied and that the form title field no longer accepts malicious scripts.
  • If an upgrade is not immediately possible, limit write permissions to the form title field or apply server‑side input sanitization to neutralize script payloads.
  • Regularly monitor the platform for additional security announcements.

Generated by OpenCVE AI on April 10, 2026 at 17:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-37fq-47qj-6j5j YesWiki has Persistent Blind XSS at "/?BazaR&vue=consulter"
History

Fri, 10 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:yeswiki:yeswiki:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Yeswiki
Yeswiki yeswiki
Vendors & Products Yeswiki
Yeswiki yeswiki

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description YesWiki is a wiki system written in PHP. Prior to version 4.6.0, a stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authentication via a form title that is saved in the backend database. When any user visits that injected page, the JavaScript payload gets executed. This issue has been patched in version 4.6.0.
Title YesWiki has Persistant Blind XSS at "/?BazaR&vue=consulter"
Weaknesses CWE-79
CWE-87
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Yeswiki Yeswiki
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T19:09:44.401Z

Reserved: 2026-03-30T17:15:52.499Z

Link: CVE-2026-34598

cve-icon Vulnrichment

Updated: 2026-04-02T19:09:40.742Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T18:16:31.740

Modified: 2026-04-10T15:58:29.673

Link: CVE-2026-34598

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:28:04Z

Weaknesses