<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Yeswiki/Yeswiki (&lt; 4.6.6) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/yeswiki/yeswiki--4.6.6/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 09 Jul 2026 21:01:14 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/yeswiki/yeswiki--4.6.6/feed.xml" rel="self" type="application/rss+xml"/><item><title>YesWiki Unauthenticated Arbitrary Page Deletion (CVE-2026-52766)</title><link>https://feed.craftedsignal.io/briefs/2026-07-yeswiki-unauth-page-delete/</link><pubDate>Thu, 09 Jul 2026 21:01:14 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-yeswiki-unauth-page-delete/</guid><description>YesWiki versions prior to 4.6.6 are vulnerable to unauthenticated arbitrary page deletion (CVE-2026-52766) via the `{{erasespamedcomments}}` wiki action, allowing any unauthenticated user to permanently delete arbitrary wiki pages, including critical ones, by sending a crafted POST request.</description><content:encoded><![CDATA[<p>A critical vulnerability, CVE-2026-52766, has been identified in YesWiki versions prior to 4.6.6, enabling unauthenticated arbitrary page deletion. The flaw resides within the <code>{{erasespamedcomments}}</code> wiki action, specifically <code>actions/EraseSpamedCommentsAction.php</code>, which processes <code>suppr[]</code> parameters from a POST request without any authorization checks. This is exacerbated by YesWiki's default permissive action ACL model, where <code>default_write_acl='*'</code> allows any user, including unauthenticated ones, to trigger page creation. Furthermore, the <code>PageManager::deleteOrphaned()</code> function, despite its name, unconditionally deletes any specified page without validating its orphaned status or user permissions. This combination allows attackers to craft HTTP requests to delete any wiki page, including critical administrative pages or the front page, leading to significant data loss and service disruption. Defenders must patch immediately to prevent unauthorized content removal.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a vulnerable YesWiki instance (version &lt; 4.6.6) with default <code>default_write_acl='*'</code>.</li>
<li>Attacker crafts and sends an HTTP POST request to create a new wiki page, for example, to <code>/wiki=SpamCleanup/edit</code>.</li>
<li>The POST request body contains the malicious string <code>body={{erasespamedcomments}}</code>, embedding the vulnerable action.</li>
<li>YesWiki, due to the permissive <code>default_write_acl</code>, processes and creates the trigger page containing the <code>erasespamedcomments</code> action without authentication.</li>
<li>Attacker then crafts a second HTTP POST request targeting the newly created trigger page, for example, to <code>/wiki=SpamCleanup</code>.</li>
<li>This request includes <code>clean=yes</code> and a <code>suppr[]</code> array in the body, specifying the <code>tag</code> of the arbitrary target pages to be deleted (e.g., <code>PagePrincipale</code>, <code>AnotherTargetPage</code>).</li>
<li>The <code>actions/EraseSpamedCommentsAction.php</code> processes the request, invoking <code>PageController::delete()</code> and <code>PageManager::deleteOrphaned()</code>.</li>
<li>YesWiki, lacking authorization checks in the action and an unconditional delete function, permanently removes the specified wiki pages, their links, ACLs, and related data from the database.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-52766 allows an unauthenticated attacker to perform arbitrary page deletion, including critical system pages like the front page (<code>PagePrincipale</code>), user-created content, or administrative sections. This leads to severe data loss, defacement, and disruption of the wiki service. The impact can range from temporary unavailability due to critical page deletion to permanent loss of valuable information, depending on backup strategies and the targeted content. Given the unauthenticated nature, mass deletion across entire wiki installations is possible.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch YesWiki installations to version 4.6.6 or higher to remediate CVE-2026-52766.</li>
<li>Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect exploitation attempts.</li>
<li>Review web server access logs for HTTP POST requests matching the patterns in the provided Sigma rules.</li>
<li>Implement strong access controls for web applications, including disabling unnecessary public write access and enforcing authentication for sensitive actions.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>web-application</category><category>rce</category><category>data-destruction</category><category>cve</category><category>yeswiki</category></item></channel></rss>