YesWiki PHP Object Injection Vulnerability (CVE-2026-52777)
An authenticated PHP Object Injection vulnerability (CVE-2026-52777) in YesWiki's `BazarImportAction`, specifically within the `unserialize` function, allows remote code execution (RCE) on the YesWiki server when an authenticated administrator's browser is targeted via a cross-site request forgery (CSRF) attack.
A critical authenticated PHP Object Injection vulnerability, tracked as CVE-2026-52777, has been identified in YesWiki versions prior to 4.6.6. The flaw resides in the BazarImportAction component, specifically within the unserialize function in tools/bazar/services/CSVManager.php, which processes user-supplied data without proper class whitelisting. This oversight allows an attacker to instantiate arbitrary classes and trigger magic methods, facilitating gadget chains, such as those found in doctrine/annotations and doctrine/cache dependencies (e.g., PHPGGC chains Doctrine/RCE1 or Doctrine/FW1), to achieve remote code execution. The vulnerability is made exploitable via a Cross-Site Request Forgery (CSRF) attack, as the affected action lacks CSRF protection, enabling a remote attacker to deliver a malicious HTML page that automatically triggers the payload when an authenticated administrator visits it. This allows an attacker to gain full control over the YesWiki hosting server.
Attack Chain
- The attacker identifies an authenticated administrator account on the target YesWiki instance.
- The attacker crafts a malicious HTML page containing JavaScript that performs an auto-POST request to the vulnerable
bazarimportendpoint (/?BazaR&vue=importer&id_typeannonce=1). - This POST request includes a
importfiche[0]parameter containing a base64-encoded, serialized PHP object payload, leveraging a known gadget chain (e.g., fromdoctrine/annotationsordoctrine/cache). - The malicious HTML page is delivered to the administrator via email, chat, or a link, and when the administrator opens the page, their browser automatically sends their session cookie along with the crafted POST request.
- The YesWiki application processes the request; the
checkSecuredACL()method passes because the request originates from an authenticated administrator session, and critically, no CSRF token check is performed. - The
importEntryfunction intools/bazar/services/CSVManager.phpdecodes the base64 string andunserializes the PHP object without theallowed_classesrestriction. - The deserialization process triggers the attacker-controlled gadget chain, leading to the execution of arbitrary PHP code (e.g.,
system($cmd)) or writing a web shell to the server. - The attacker gains remote code execution, obtaining an operating system shell on the YesWiki hosting server, bypassing the web application layer.
Impact
Successful exploitation of CVE-2026-52777 results in immediate and complete remote code execution on the YesWiki server. This means an attacker who can trick an authenticated administrator into clicking a link can elevate their access from managing wiki content to having an operating system shell on the hosting box. The compromise allows attackers to write web shells for persistence, exfiltrate sensitive data including other websites on shared hosting environments, dump the entire MySQL database, modify critical configuration files such as wakka.config.php, and pivot to other systems within the network. This level of access grants full control over the server and its hosted data, posing a severe risk of data breach, service disruption, and further lateral movement.
Recommendation
- Patch CVE-2026-52777 immediately by upgrading YesWiki to version 4.6.6 or newer. This addresses the vulnerability in
composer/yeswiki/yeswiki < 4.6.6. - Deploy the provided Sigma rule to your SIEM to detect exploitation attempts targeting the vulnerable
BazarImportActionendpoint. Tune the rule for your environment. - Implement CSRF protection for the
bazarimportaction to prevent cross-site request forgery attacks, specifically ensuringCsrfTokenController::checkTokenis applied to the'importentries'mode intools/bazar/actions/BazarImportAction.php. - Review
tools/bazar/services/CSVManager.php::importEntryto ensureunserializecalls either include['allowed_classes' => false]or, preferably, migrate to a safer JSON-based transport mechanism.
Detection coverage 1
Detect CVE-2026-52777 YesWiki PHP Object Injection Attempt
highDetects exploitation attempts for CVE-2026-52777, an authenticated PHP Object Injection vulnerability in YesWiki. Looks for POST requests to the Bazar importer endpoint containing 'importfiche' parameter with base64-encoded serialized object data.
Detection queries are available on the platform. Get full rules →