CVE-2026-52778 - Vulnerability Details

Description

YesWiki is a wiki system written in PHP. Prior to version 4.6.6, an unsafe execution vulnerability exists in the Bazar form field calculator (CalcField.php) of YesWiki. The application attempts to sanitize user-defined mathematical formulas using a complex recursive regular expression before passing them to the PHP eval() function. This implementation is inherently flawed: it is vulnerable to Regular Expression Denial of Service (ReDoS / Stack Overflow) which can crash the server, and it creates a high-risk architecture where any logic bypass directly results in arbitrary PHP code execution. Version 4.6.6 patches the issue.

Published: 2026-06-08

Score: 9.8 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

YesWiki, a PHP-based wiki platform, contains an unsafe use of PHP eval() in the Bazar form field calculator (CalcField.php). The system attempts to sanitize user-defined formulas with a complex regular expression before passing them to eval(). This sanitization is flawed, allowing attackers to craft formulas that trigger a Regular Expression Denial of Service (ReDoS) causing a stack overflow and server crash, or bypass the filter to execute arbitrary PHP code. The vulnerability is identified as CWE-1333 and CWE-94.

Affected Systems

Heretofore versions of YesWiki prior to 4.6.6 are affected. This includes all installations running any date earlier than the 4.6.6 release. The vulnerability exists in the Bazar form feature, so any deployment that has this component enabled is at risk.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity. While EPSS data is not available, the lack of a known exploit in the KEV catalog does not mitigate the threat; the flaw can be exploited by submitting malicious formulas through the web interface, potentially from unauthenticated users if the form is publicly accessible. The attacker does not need elevated privileges, making the threat of remote code execution and Denial of Service high for exposed instances. The likely attack vector is remote submission of crafted formulas through the public Bazar form.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

YesWiki

yeswiki

affected

Version	Status	Constraints
`< 4.6.6`	affected	—

No data.

Vendor Product Confidence Versions

Yeswiki

100%

Version	Status	Scheme	Platform
`[0,4.6.6)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade YesWiki to version 4.6.6 or later to apply the vendor patch that removes the unsafe eval usage.
Restrict access to the Bazar form feature to trusted users only, or disable the feature if it is not required.
Implement server‑side monitoring to detect unexpected load spikes or script crashes that could indicate an attempted ReDoS attack.

Generated by OpenCVE AI on June 8, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/YesWiki/yeswiki/commit/dd2bd8fb099de0d21504bda8a810693b3fcb8e52
https://github.com/YesWiki/yeswiki/releases/tag/v4.6.6
https://github.com/YesWiki/yeswiki/security/advisories/GHSA-px5m-h76g-p7p8

History

Mon, 08 Jun 2026 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Yeswiki Yeswiki yeswiki
Vendors & Products		Yeswiki Yeswiki yeswiki

Mon, 08 Jun 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		YesWiki is a wiki system written in PHP. Prior to version 4.6.6, an unsafe execution vulnerability exists in the Bazar form field calculator (CalcField.php) of YesWiki. The application attempts to sanitize user-defined mathematical formulas using a complex recursive regular expression before passing them to the PHP eval() function. This implementation is inherently flawed: it is vulnerable to Regular Expression Denial of Service (ReDoS / Stack Overflow) which can crash the server, and it creates a high-risk architecture where any logic bypass directly results in arbitrary PHP code execution. Version 4.6.6 patches the issue.
Title		YesWiki has Unsafe eval() in Formula Calculator - Remote Code Execution (RCE) & Denial of Service (DoS)
Weaknesses		CWE-1333 CWE-94
References		https://github.com/YesWiki/yeswiki/commit/dd2bd8fb099de0d21504bda8a810693b3fcb8e52 https://github.com/YesWiki/yeswiki/releases/tag/v4.6.6 https://github.com/YesWiki/yeswiki/security/advisories/GHSA-px5m-h76g-p7p8
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Yeswiki Yeswiki

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-08T18:24:21.671Z

Updated: 2026-06-08T18:24:21.671Z

Reserved: 2026-06-08T17:13:43.065Z

Link: CVE-2026-52778

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-08T19:16:46.683

Modified: 2026-06-08T19:16:46.683

Link: CVE-2026-52778

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-08T21:30:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object