PT-2026-42810 · Yeswiki · Yeswiki

Published

2026-05-22

·

Updated

2026-05-26

·

CVE-2026-46670

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions YesWiki versions prior to 4.6.4
Description An unauthenticated SQL injection exists in the Bazar form-import functionality. An unauthenticated visitor can inject arbitrary SQL into an INSERT statement via the FormManager::create() function. This occurs due to the unquoted concatenation of the bn id nature variable into the SQL query. This flaw allows an attacker to read the entire database, including sensitive information such as user emails and yeswiki users.password hashes.
Recommendations Update to version 4.6.4 or later. As a temporary workaround, restrict access to the Bazar form-import functionality and the FormManager::create() function until the update is applied.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-46670
GHSA-JWVV-QR7Q-CV8J

Affected Products

Yeswiki