YesWiki Unauthenticated Arbitrary Page Deletion (CVE-2026-52766)
YesWiki versions prior to 4.6.6 are vulnerable to unauthenticated arbitrary page deletion (CVE-2026-52766) via the `{{erasespamedcomments}}` wiki action, allowing any unauthenticated user to permanently delete arbitrary wiki pages, including critical ones, by sending a crafted POST request.
A critical vulnerability, CVE-2026-52766, has been identified in YesWiki versions prior to 4.6.6, enabling unauthenticated arbitrary page deletion. The flaw resides within the {{erasespamedcomments}} wiki action, specifically actions/EraseSpamedCommentsAction.php, which processes suppr[] parameters from a POST request without any authorization checks. This is exacerbated by YesWiki's default permissive action ACL model, where default_write_acl='*' allows any user, including unauthenticated ones, to trigger page creation. Furthermore, the PageManager::deleteOrphaned() function, despite its name, unconditionally deletes any specified page without validating its orphaned status or user permissions. This combination allows attackers to craft HTTP requests to delete any wiki page, including critical administrative pages or the front page, leading to significant data loss and service disruption. Defenders must patch immediately to prevent unauthorized content removal.
Attack Chain
- Attacker identifies a vulnerable YesWiki instance (version < 4.6.6) with default
default_write_acl='*'. - Attacker crafts and sends an HTTP POST request to create a new wiki page, for example, to
/wiki=SpamCleanup/edit. - The POST request body contains the malicious string
body={{erasespamedcomments}}, embedding the vulnerable action. - YesWiki, due to the permissive
default_write_acl, processes and creates the trigger page containing theerasespamedcommentsaction without authentication. - Attacker then crafts a second HTTP POST request targeting the newly created trigger page, for example, to
/wiki=SpamCleanup. - This request includes
clean=yesand asuppr[]array in the body, specifying thetagof the arbitrary target pages to be deleted (e.g.,PagePrincipale,AnotherTargetPage). - The
actions/EraseSpamedCommentsAction.phpprocesses the request, invokingPageController::delete()andPageManager::deleteOrphaned(). - YesWiki, lacking authorization checks in the action and an unconditional delete function, permanently removes the specified wiki pages, their links, ACLs, and related data from the database.
Impact
Successful exploitation of CVE-2026-52766 allows an unauthenticated attacker to perform arbitrary page deletion, including critical system pages like the front page (PagePrincipale), user-created content, or administrative sections. This leads to severe data loss, defacement, and disruption of the wiki service. The impact can range from temporary unavailability due to critical page deletion to permanent loss of valuable information, depending on backup strategies and the targeted content. Given the unauthenticated nature, mass deletion across entire wiki installations is possible.
Recommendation
- Immediately patch YesWiki installations to version 4.6.6 or higher to remediate CVE-2026-52766.
- Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect exploitation attempts.
- Review web server access logs for HTTP POST requests matching the patterns in the provided Sigma rules.
- Implement strong access controls for web applications, including disabling unnecessary public write access and enforcing authentication for sensitive actions.
Detection coverage 2
Detect YesWiki CVE-2026-52766 Trigger Page Creation
highDetects the creation of a YesWiki page containing the `{{erasespamedcomments}}` action, a precursor to arbitrary page deletion via CVE-2026-52766. This uses POST body content reflected in cs-uri-query.
Detect YesWiki CVE-2026-52766 Arbitrary Page Deletion
criticalDetects exploitation of CVE-2026-52766 - an unauthenticated HTTP POST request to a YesWiki page containing `clean=yes` and `suppr[]` parameters, indicating an attempt to arbitrarily delete wiki pages.
Detection queries are available on the platform. Get full rules →