{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/yeswiki-4.x-versions--4.6.6/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["YesWiki 4.x (versions \u003c 4.6.6)"],"_cs_severities":["high"],"_cs_tags":["yeswiki","ssti","rce","web-application","php","cve"],"_cs_type":"advisory","_cs_vendors":["YesWiki"],"content_html":"\u003cp\u003eA critical Server-Side Template Injection (SSTI) vulnerability, tracked as CVE-2026-52762, exists in YesWiki Bazar versions prior to 4.6.6. This flaw allows an authenticated administrator to inject arbitrary Twig expressions into semantic template fields (\u003ccode\u003ebn_sem_template\u003c/code\u003e or \u003ccode\u003ebn_sem_reverse_template\u003c/code\u003e). These stored payloads are then executed server-side when public semantic endpoints are requested, leading to confirmed Remote Code Execution (RCE). The attack is persistent as the malicious template is saved in the application's configuration, and it can be triggered remotely by requests to public endpoints such as \u003ccode\u003e/api/forms/{id}/entries/json-ld\u003c/code\u003e. This enables an attacker with administrative access to escalate privileges from application-level control to full operating system compromise. The vulnerability was confirmed through proof-of-concept testing, demonstrating both arbitrary Twig execution and the establishment of an interactive shell on the compromised host.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated YesWiki administrator accesses the Bazar form management interface to edit an existing form (e.g., form ID 2).\u003c/li\u003e\n\u003cli\u003eThe administrator crafts and injects a malicious Twig expression (e.g., a reverse shell payload or a \u003ccode\u003esystem()\u003c/code\u003e call) into the \u003ccode\u003eSemantic template (Twig)\u003c/code\u003e field (\u003ccode\u003ebn_sem_template\u003c/code\u003e or \u003ccode\u003ebn_sem_reverse_template\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eYesWiki's backend saves this malicious payload in the application's form configuration database, establishing persistence.\u003c/li\u003e\n\u003cli\u003eA subsequent HTTP GET request, which can be unauthenticated, is made to a public semantic endpoint, such as \u003ccode\u003e/api/forms/{id}/entries/json-ld\u003c/code\u003e (e.g., \u003ccode\u003eGET /api/forms/2/entries/json-ld\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe YesWiki application attempts to render the form's semantic template using the vulnerable \u003ccode\u003eTemplateEngine::renderFromStringNoEscape()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDuring the rendering process, the server-side Twig engine processes and executes the previously stored malicious expression, leading to the execution of arbitrary system commands on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker receives an inbound connection (e.g., a reverse shell), establishing an interactive shell session on the YesWiki host.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full operating-system-level control over the underlying server, enabling further actions like lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-52762 allows an authenticated administrator to achieve full Remote Code Execution on the YesWiki server. This critical vulnerability breaks the expected trust boundary, enabling an attacker with administrative application access to pivot to full interactive shell access and system-level compromise. The consequences include unauthorized access to sensitive data, modification or deletion of system files, deployment of malware, and complete control over the compromised server, effectively bypassing application-level security controls.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade YesWiki to version 4.6.6 or later to apply the patch for CVE-2026-52762.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious process creation indicative of post-exploitation RCE attempts originating from the web server.\u003c/li\u003e\n\u003cli\u003eReview web server logs for suspicious HTTP requests to \u003ccode\u003e/api/forms/*/entries/json-ld\u003c/code\u003e that may indicate exploitation attempts, especially if followed by unusual outbound network activity from the web server's host.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T20:56:29Z","date_published":"2026-07-09T20:56:29Z","id":"https://feed.craftedsignal.io/briefs/2026-07-yeswiki-ssti-rce/","summary":"An authenticated administrator can exploit a Server-Side Template Injection (SSTI) vulnerability (CVE-2026-52762) in YesWiki Bazar's semantic templates to achieve Remote Code Execution (RCE) on the underlying server, allowing for full system compromise.","title":"YesWiki Bazar Admin Server-Side Template Injection to RCE (CVE-2026-52762)","url":"https://feed.craftedsignal.io/briefs/2026-07-yeswiki-ssti-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - YesWiki 4.x (Versions \u003c 4.6.6)","version":"https://jsonfeed.org/version/1.1"}