CVE-2025-46550

Name of the Vulnerable Software and Affected Versions YesWiki versions prior to 4.5.4

Description The issue affects the /BazaR endpoint and the idformulaire parameter, making them vulnerable to cross-site scripting. An attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the user’s session. This may also allow attackers to deface the website or embed malicious content.

Recommendations For versions prior to 4.5.4, update to version 4.5.4 to resolve the issue. As a temporary workaround, consider restricting access to the /BazaR endpoint and avoiding the use of the idformulaire parameter until the issue is resolved.