{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/yeswiki/yeswiki--4.6.6/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["yeswiki/yeswiki (\u003c 4.6.6)"],"_cs_severities":["critical"],"_cs_tags":["web-application","rce","data-destruction","cve","yeswiki"],"_cs_type":"advisory","_cs_vendors":["YesWiki"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-52766, has been identified in YesWiki versions prior to 4.6.6, enabling unauthenticated arbitrary page deletion. The flaw resides within the \u003ccode\u003e{{erasespamedcomments}}\u003c/code\u003e wiki action, specifically \u003ccode\u003eactions/EraseSpamedCommentsAction.php\u003c/code\u003e, which processes \u003ccode\u003esuppr[]\u003c/code\u003e parameters from a POST request without any authorization checks. This is exacerbated by YesWiki's default permissive action ACL model, where \u003ccode\u003edefault_write_acl='*'\u003c/code\u003e allows any user, including unauthenticated ones, to trigger page creation. Furthermore, the \u003ccode\u003ePageManager::deleteOrphaned()\u003c/code\u003e function, despite its name, unconditionally deletes any specified page without validating its orphaned status or user permissions. This combination allows attackers to craft HTTP requests to delete any wiki page, including critical administrative pages or the front page, leading to significant data loss and service disruption. Defenders must patch immediately to prevent unauthorized content removal.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable YesWiki instance (version \u0026lt; 4.6.6) with default \u003ccode\u003edefault_write_acl='*'\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker crafts and sends an HTTP POST request to create a new wiki page, for example, to \u003ccode\u003e/wiki=SpamCleanup/edit\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe POST request body contains the malicious string \u003ccode\u003ebody={{erasespamedcomments}}\u003c/code\u003e, embedding the vulnerable action.\u003c/li\u003e\n\u003cli\u003eYesWiki, due to the permissive \u003ccode\u003edefault_write_acl\u003c/code\u003e, processes and creates the trigger page containing the \u003ccode\u003eerasespamedcomments\u003c/code\u003e action without authentication.\u003c/li\u003e\n\u003cli\u003eAttacker then crafts a second HTTP POST request targeting the newly created trigger page, for example, to \u003ccode\u003e/wiki=SpamCleanup\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThis request includes \u003ccode\u003eclean=yes\u003c/code\u003e and a \u003ccode\u003esuppr[]\u003c/code\u003e array in the body, specifying the \u003ccode\u003etag\u003c/code\u003e of the arbitrary target pages to be deleted (e.g., \u003ccode\u003ePagePrincipale\u003c/code\u003e, \u003ccode\u003eAnotherTargetPage\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eactions/EraseSpamedCommentsAction.php\u003c/code\u003e processes the request, invoking \u003ccode\u003ePageController::delete()\u003c/code\u003e and \u003ccode\u003ePageManager::deleteOrphaned()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eYesWiki, lacking authorization checks in the action and an unconditional delete function, permanently removes the specified wiki pages, their links, ACLs, and related data from the database.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-52766 allows an unauthenticated attacker to perform arbitrary page deletion, including critical system pages like the front page (\u003ccode\u003ePagePrincipale\u003c/code\u003e), user-created content, or administrative sections. This leads to severe data loss, defacement, and disruption of the wiki service. The impact can range from temporary unavailability due to critical page deletion to permanent loss of valuable information, depending on backup strategies and the targeted content. Given the unauthenticated nature, mass deletion across entire wiki installations is possible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch YesWiki installations to version 4.6.6 or higher to remediate CVE-2026-52766.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for HTTP POST requests matching the patterns in the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eImplement strong access controls for web applications, including disabling unnecessary public write access and enforcing authentication for sensitive actions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T21:01:14Z","date_published":"2026-07-09T21:01:14Z","id":"https://feed.craftedsignal.io/briefs/2026-07-yeswiki-unauth-page-delete/","summary":"YesWiki versions prior to 4.6.6 are vulnerable to unauthenticated arbitrary page deletion (CVE-2026-52766) via the `{{erasespamedcomments}}` wiki action, allowing any unauthenticated user to permanently delete arbitrary wiki pages, including critical ones, by sending a crafted POST request.","title":"YesWiki Unauthenticated Arbitrary Page Deletion (CVE-2026-52766)","url":"https://feed.craftedsignal.io/briefs/2026-07-yeswiki-unauth-page-delete/"}],"language":"en","title":"CraftedSignal Threat Feed - Yeswiki/Yeswiki (\u003c 4.6.6)","version":"https://jsonfeed.org/version/1.1"}