Description
YesWiki is a wiki system written in PHP. Prior to version 4.6.1, YesWiki bazar module contains a SQL injection vulnerability in tools/bazar/services/EntryManager.php at line 704. The $data['id_fiche'] value (sourced from $_POST['id_fiche']) is concatenated directly into a raw SQL query without any sanitization or parameterization. This issue has been patched in version 4.6.1.
Published: 2026-05-07
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

YesWiki is a PHP‑based wiki platform. Prior to version 4.6.1, its bazar module contains a classic SQL injection flaw in EntryManager.php. The id_fiche value extracted directly from $_POST['id_fiche'] is concatenated into a raw SQL statement without sanitization or parameterization. Based on the description, it is inferred that an attacker could manipulate the query to read, modify, or delete arbitrary data in the database, compromising confidentiality and integrity.

Affected Systems

All installations of YesWiki using the bazar module with a version earlier than 4.6.1 are vulnerable. The flaw resides in tools/bazar/services/EntryManager.php and was patched in release 4.6.1.

Risk and Exploitability

The vulnerability has a CVSS base score of 8.8, indicating high severity. No EPSS score has been reported, so its current exploitation probability is unknown. It is not listed in the CISA KEV catalog. Attackers must authenticate to the website and have write access to the bazar module to submit a crafted POST request containing the malicious id_fiche value. Based on typical usage, it is inferred that authentication is required to reach the affected code path, but once reached, the attacker can compromise the database integrity and expose sensitive content.

Generated by OpenCVE AI on May 7, 2026 at 06:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update YesWiki to version 4.6.1 or later to apply the vendor fix that sanitizes the id_fiche parameter.
  • If an upgrade is not yet possible, temporarily disable the bazar module or block the entry creation route to prevent exploitation.
  • Apply server‑side input validation to reject non‑numeric or suspicious id_fiche values, and limit write access to trusted roles.

Generated by OpenCVE AI on May 7, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f58v-p6j9-24c2 YesWiki vulnerable to authenticated SQL Injection via id_fiche in EntryManager::formatDataBeforeSave()
History

Thu, 07 May 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Yeswiki
Yeswiki yeswiki
Vendors & Products Yeswiki
Yeswiki yeswiki

Thu, 07 May 2026 05:30:00 +0000

Type Values Removed Values Added
Description YesWiki is a wiki system written in PHP. Prior to version 4.6.1, YesWiki bazar module contains a SQL injection vulnerability in tools/bazar/services/EntryManager.php at line 704. The $data['id_fiche'] value (sourced from $_POST['id_fiche']) is concatenated directly into a raw SQL query without any sanitization or parameterization. This issue has been patched in version 4.6.1.
Title YesWiki vulnerable to authenticated SQL Injection via id_fiche in EntryManager::formatDataBeforeSave()
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Yeswiki Yeswiki
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T13:41:46.278Z

Reserved: 2026-04-17T12:59:15.739Z

Link: CVE-2026-41143

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-07T06:16:04.550

Modified: 2026-05-07T06:16:04.550

Link: CVE-2026-41143

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T07:00:13Z

Weaknesses