{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/yeswiki--4.6.6/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["YesWiki (\u003c 4.6.6)"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","vulnerability","yeswiki"],"_cs_type":"advisory","_cs_vendors":["YesWiki"],"content_html":"\u003cp\u003eYesWiki, an open-source wiki software, is vulnerable to an unauthenticated SQL injection, tracked as CVE-2026-52770, affecting versions prior to 4.6.6. This vulnerability resides in the public Bazar entry-listing APIs, specifically when processing numeric \u003ccode\u003equery\u003c/code\u003e or \u003ccode\u003equeries\u003c/code\u003e GET parameters. An attacker can craft malicious input containing boolean SQL expressions that are improperly handled, allowing direct insertion into the database query without sufficient quoting or validation. This enables an unauthenticated attacker to leverage the application as a boolean oracle, inferring sensitive information from the database, such as user account data, password hashes, and private wiki metadata, based on variations in API responses. The issue stems from the \u003ccode\u003eSearchManager::buildQueriesConditions()\u003c/code\u003e function in \u003ccode\u003etools/bazar/services/SearchManager.php\u003c/code\u003e where \u003ccode\u003emysqli_real_escape_string()\u003c/code\u003e is used, but the resulting string is embedded into a numeric context without enclosing quotes, thus reactivating SQL syntax.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a YesWiki instance running an affected version (less than 4.6.6) that exposes public Bazar API endpoints, such as \u003ccode\u003e/api/forms/{formId}/entries\u003c/code\u003e or \u003ccode\u003e/api/entries/bazarlist\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP GET request to one of these public API endpoints, including a \u003ccode\u003equery\u003c/code\u003e or \u003ccode\u003equeries\u003c/code\u003e parameter intended for a numeric Bazar field.\u003c/li\u003e\n\u003cli\u003eWithin the \u003ccode\u003equery\u003c/code\u003e parameter, the attacker injects a boolean SQL payload, for example, \u003ccode\u003ebf_age\u0026gt;100 OR (SELECT COUNT(*) FROM yeswiki_users)\u0026gt;0\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe YesWiki application's \u003ccode\u003eApiController.php\u003c/code\u003e parses the \u003ccode\u003equery\u003c/code\u003e parameter and passes it to \u003ccode\u003eBazarListService::getEntries()\u003c/code\u003e and subsequently \u003ccode\u003eSearchManager::search()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSearchManager::buildQueriesConditions()\u003c/code\u003e function processes the attacker's input, performing \u003ccode\u003emysqli_real_escape_string()\u003c/code\u003e but then embedding the parameter directly into an SQL query within a numeric context without proper quoting.\u003c/li\u003e\n\u003cli\u003eThe backend database executes the maliciously crafted SQL query, where the injected boolean expression evaluates to true or false, depending on the database's contents (e.g., whether \u003ccode\u003eCOUNT(*)\u003c/code\u003e returns a value greater than zero).\u003c/li\u003e\n\u003cli\u003eThe application's HTTP response (e.g., the number of entries returned or the presence of specific entries) varies based on the outcome of the boolean SQL expression, serving as a boolean oracle.\u003c/li\u003e\n\u003cli\u003eThe attacker repeatedly sends modified requests, incrementally inferring sensitive database contents, such as user accounts, password hashes, and private wiki metadata, through this boolean blind SQL injection technique.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis unauthenticated SQL injection allows an attacker to query and extract sensitive data from the YesWiki database. While there are no specific victim counts or sectors mentioned, the ability to infer database contents poses a severe risk. Attackers can potentially gain access to user credentials (including password hashes), internal wiki content, and other confidential metadata. If successful, this can lead to unauthorized access to the YesWiki application, privilege escalation, or further compromise of the underlying server infrastructure, depending on the privileges of the database user account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-52770 immediately by updating YesWiki to version 4.6.6 or higher.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious activity related to CVE-2026-52770.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for HTTP GET requests to \u003ccode\u003e/api/\u003c/code\u003e endpoints that contain unusual SQL keywords or boolean logic in \u003ccode\u003equery\u003c/code\u003e or \u003ccode\u003equeries\u003c/code\u003e parameters, as described in the detection rule.\u003c/li\u003e\n\u003cli\u003eImplement Web Application Firewall (WAF) rules to detect and block SQL injection attempts against YesWiki public API endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T21:11:12Z","date_published":"2026-07-09T21:11:12Z","id":"https://feed.craftedsignal.io/briefs/2026-07-yeswiki-bazar-sqli/","summary":"An unauthenticated attacker can exploit CVE-2026-52770, an SQL injection vulnerability in YesWiki's public Bazar entry-listing APIs, by manipulating numeric `query` or `queries` GET parameters, to use the application as a boolean oracle for inferring sensitive database contents like user accounts and password hashes.","title":"YesWiki Public Bazar API Unauthenticated SQL Injection (CVE-2026-52770)","url":"https://feed.craftedsignal.io/briefs/2026-07-yeswiki-bazar-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed - YesWiki (\u003c 4.6.6)","version":"https://jsonfeed.org/version/1.1"}