CVE-2026-43937

Name of the Vulnerable Software and Affected Versions YetAnotherForum.NET (YAF.NET) versions prior to 4.0.5

Description An authorization bypass exists because the PageSecurityCheckAttribute is implemented as a ResultFilterAttribute, which executes after the page handler completes. Consequently, any admin OnPost handler executes its side effects before the response is rewritten to a redirect. A critical instance of this issue is found in the '/Admin/RunSql' endpoint, where the OnPostRunQuery() function binds the Editor variable from the POST body and passes it to IDbAccess.RunSql() without verifying the caller's permissions. This allows any low-privileged authenticated user to perform arbitrary blind SQL execution against the database, potentially leading to full loss of confidentiality, integrity, and availability. If the SQL Server instance has xp cmdshell or CLR integration enabled, this can escalate to OS-level command execution on the database host.

Recommendations Update to version 4.0.5. Convert PageSecurityCheckAttribute from a ResultFilterAttribute to an IAsyncPageFilter to ensure the admin check runs before any handler side effects occur. Implement an ASP.NET Core authorization policy using AddAuthorization and AuthorizeFolder('/Admin', 'YafAdmin') as defense-in-depth. Restrict the '/Admin/RunSql' endpoint to HostAdmin only and implement a statement-type allow-list for IDbAccess.RunSql() to reject non-read-only SQL. Audit and fix all authorization logic implemented in ResultFilterAttribute or OnResultExecuting(Async) to resolve the lifecycle bug.