{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/yeswiki/yeswiki--4.6.4/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["yeswiki/yeswiki (\u003c 4.6.4)"],"_cs_severities":["critical"],"_cs_tags":["sqli","web-application","yeswiki"],"_cs_type":"advisory","_cs_vendors":["YesWiki"],"content_html":"\u003cp\u003eYesWiki is susceptible to an unauthenticated SQL injection vulnerability within the Bazar form-import functionality, specifically affecting versions prior to 4.6.4. The vulnerability resides in the \u003ccode\u003eFormManager::create()\u003c/code\u003e function, where unsanitized input is concatenated into an SQL INSERT statement. This allows any unauthenticated visitor to inject arbitrary SQL code and potentially extract sensitive information, including user credentials, from the database. The issue was identified and analyzed against commit \u003ccode\u003e1f485c049db030b94c047ec219e63534ac81142e\u003c/code\u003e. Exploitation is straightforward, requiring only a crafted HTTP POST request, making this a critical vulnerability for any publicly accessible YesWiki instance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted HTTP POST request to the \u003ccode\u003e/?BazaR\u0026amp;vue=formulaire\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request contains a specially crafted \u003ccode\u003eimported-form\u003c/code\u003e parameter with SQL injection payload.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eFormManager::create()\u003c/code\u003e function (FormManager.php#L258) processes the request and concatenates the malicious input into an SQL INSERT statement without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code executes within the context of the YesWiki database.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the SQL injection to extract data from the \u003ccode\u003eyeswiki_users\u003c/code\u003e table, including email addresses and password hashes.\u003c/li\u003e\n\u003cli\u003eThe extracted data is encoded and embedded within the \u003ccode\u003ebn_id_nature\u003c/code\u003e field of a newly created database entry.\u003c/li\u003e\n\u003cli\u003eThe attacker then sends a request to \u003ccode\u003e/?api/forms\u003c/code\u003e to retrieve the \u003ccode\u003ebn_id_nature\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe attacker decodes the extracted data to obtain sensitive information, such as usernames, emails, and password hashes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-46670) allows an unauthenticated attacker to dump the entire YesWiki database. This includes sensitive information such as usernames, email addresses, and, most critically, hashed passwords of all users. This complete data breach can lead to account compromise, unauthorized access to sensitive wiki content, and potential lateral movement within the organization if users reuse passwords across multiple services. The impact is particularly severe given the ease of exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade YesWiki to version 4.6.4 or later to patch the SQL injection vulnerability in \u003ccode\u003eFormManager::create()\u003c/code\u003e (reference: GHSA-jwvv-qr7q-cv8j).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect YesWiki Unauthenticated SQL Injection Attempt\u0026rdquo; to detect exploitation attempts against the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/?BazaR\u0026amp;vue=formulaire\u003c/code\u003e with suspicious characters in the \u003ccode\u003eimported-form\u003c/code\u003e parameter (reference: sample HTTP request in the content).\u003c/li\u003e\n\u003cli\u003eApply the Sigma rule \u0026ldquo;Detect YesWiki Data Exfiltration via API\u0026rdquo; to detect attempts to retrieve encoded data using the \u003ccode\u003e/?api/forms\u003c/code\u003e endpoint after successful SQL injection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-22T15:40:07Z","date_published":"2026-05-22T15:40:07Z","id":"https://feed.craftedsignal.io/briefs/2026-05-yeswiki-sqli/","summary":"YesWiki versions prior to 4.6.4 are vulnerable to an unauthenticated SQL injection in the Bazar form-import path (`FormManager::create()`), allowing an unauthenticated attacker to inject arbitrary SQL into an `INSERT` statement and read the full database, including `yeswiki_users.password` hashes (CVE-2026-46670).","title":"YesWiki Unauthenticated SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-yeswiki-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Yeswiki/Yeswiki (\u003c 4.6.4)","version":"https://jsonfeed.org/version/1.1"}