CVE-2026-34598

**Name of the Vulnerable Software and Affected Versions YesWiki versions prior to 4.6.0

**Description A stored and blind cross-site scripting (XSS) issue exists in the form title field. An attacker can inject JavaScript without authentication via a form title, which is saved in the backend database. When a user visits the affected page, the JavaScript payload is executed. The vulnerability occurs because the application stores malicious user input in its backend database and renders it later on a page viewed by other users without proper sanitization or encoding. The attacker can inject JavaScript payloads in the title field of a form, which the application stores in the database. When any user views the page that displays this title, the malicious script executes in their browser context. A proof of concept involves visiting a specific form URL, injecting a script into the 'Name of the event' and 'Description' fields, and saving the record. The payload is then executed when anyone visits the diary record.

**Recommendations Update to YesWiki version 4.6.0 or later.