<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>YesWiki 4.x (Versions &lt; 4.6.6) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/yeswiki-4.x-versions--4.6.6/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 09 Jul 2026 20:56:29 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/yeswiki-4.x-versions--4.6.6/feed.xml" rel="self" type="application/rss+xml"/><item><title>YesWiki Bazar Admin Server-Side Template Injection to RCE (CVE-2026-52762)</title><link>https://feed.craftedsignal.io/briefs/2026-07-yeswiki-ssti-rce/</link><pubDate>Thu, 09 Jul 2026 20:56:29 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-yeswiki-ssti-rce/</guid><description>An authenticated administrator can exploit a Server-Side Template Injection (SSTI) vulnerability (CVE-2026-52762) in YesWiki Bazar's semantic templates to achieve Remote Code Execution (RCE) on the underlying server, allowing for full system compromise.</description><content:encoded><![CDATA[<p>A critical Server-Side Template Injection (SSTI) vulnerability, tracked as CVE-2026-52762, exists in YesWiki Bazar versions prior to 4.6.6. This flaw allows an authenticated administrator to inject arbitrary Twig expressions into semantic template fields (<code>bn_sem_template</code> or <code>bn_sem_reverse_template</code>). These stored payloads are then executed server-side when public semantic endpoints are requested, leading to confirmed Remote Code Execution (RCE). The attack is persistent as the malicious template is saved in the application's configuration, and it can be triggered remotely by requests to public endpoints such as <code>/api/forms/{id}/entries/json-ld</code>. This enables an attacker with administrative access to escalate privileges from application-level control to full operating system compromise. The vulnerability was confirmed through proof-of-concept testing, demonstrating both arbitrary Twig execution and the establishment of an interactive shell on the compromised host.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated YesWiki administrator accesses the Bazar form management interface to edit an existing form (e.g., form ID 2).</li>
<li>The administrator crafts and injects a malicious Twig expression (e.g., a reverse shell payload or a <code>system()</code> call) into the <code>Semantic template (Twig)</code> field (<code>bn_sem_template</code> or <code>bn_sem_reverse_template</code>).</li>
<li>YesWiki's backend saves this malicious payload in the application's form configuration database, establishing persistence.</li>
<li>A subsequent HTTP GET request, which can be unauthenticated, is made to a public semantic endpoint, such as <code>/api/forms/{id}/entries/json-ld</code> (e.g., <code>GET /api/forms/2/entries/json-ld</code>).</li>
<li>The YesWiki application attempts to render the form's semantic template using the vulnerable <code>TemplateEngine::renderFromStringNoEscape()</code> function.</li>
<li>During the rendering process, the server-side Twig engine processes and executes the previously stored malicious expression, leading to the execution of arbitrary system commands on the server.</li>
<li>The attacker receives an inbound connection (e.g., a reverse shell), establishing an interactive shell session on the YesWiki host.</li>
<li>The attacker gains full operating-system-level control over the underlying server, enabling further actions like lateral movement or data exfiltration.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-52762 allows an authenticated administrator to achieve full Remote Code Execution on the YesWiki server. This critical vulnerability breaks the expected trust boundary, enabling an attacker with administrative application access to pivot to full interactive shell access and system-level compromise. The consequences include unauthorized access to sensitive data, modification or deletion of system files, deployment of malware, and complete control over the compromised server, effectively bypassing application-level security controls.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade YesWiki to version 4.6.6 or later to apply the patch for CVE-2026-52762.</li>
<li>Deploy the provided Sigma rule to your SIEM to detect suspicious process creation indicative of post-exploitation RCE attempts originating from the web server.</li>
<li>Review web server logs for suspicious HTTP requests to <code>/api/forms/*/entries/json-ld</code> that may indicate exploitation attempts, especially if followed by unusual outbound network activity from the web server's host.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>yeswiki</category><category>ssti</category><category>rce</category><category>web-application</category><category>php</category><category>cve</category></item></channel></rss>