PT-2026-42810 · Yeswiki · Yeswiki
Published
2026-05-22
·
Updated
2026-05-26
·
CVE-2026-46670
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
YesWiki versions prior to 4.6.4
Description
An unauthenticated SQL injection exists in the Bazar form-import functionality. An unauthenticated visitor can inject arbitrary SQL into an
INSERT statement via the FormManager::create() function. This occurs due to the unquoted concatenation of the bn id nature variable into the SQL query. This flaw allows an attacker to read the entire database, including sensitive information such as user emails and yeswiki users.password hashes.Recommendations
Update to version 4.6.4 or later.
As a temporary workaround, restrict access to the Bazar form-import functionality and the
FormManager::create() function until the update is applied.Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Yeswiki