CVE-2026-41143

Name of the Vulnerable Software and Affected Versions YesWiki versions prior to 4.6.1

Description The bazar module contains a SQL injection flaw in the tools/bazar/services/EntryManager.php file. The issue occurs because the id fiche value, sourced from the $ POST['id fiche'] variable, is concatenated directly into a raw SQL query without sanitization or parameterization. This allows an authenticated user to execute arbitrary SQL commands via the '/api/entries/{formId}' endpoint by manipulating the id fiche parameter. The vulnerability is triggered within the create() function, which calls formatDataBeforeSave(), eventually passing the unsanitized input to the loadSingle() function.

Recommendations Update to version 4.6.1. As a temporary workaround, restrict access to the '/api/entries/{formId}' endpoint or avoid using the id fiche parameter until the update is applied.