Product
An unauthenticated attacker can exploit CVE-2026-52770, an SQL injection vulnerability in YesWiki's public Bazar entry-listing APIs, by manipulating numeric `query` or `queries` GET parameters, to use the application as a boolean oracle for inferring sensitive database contents like user accounts and password hashes.