Unsecured Execution Vulnerability in YesWiki Wiki System
CVE-2026-52778
9.8CRITICAL
What is CVE-2026-52778?
YesWiki, a PHP-based wiki system, experiences an unsafe execution vulnerability in the Bazar form field calculator (CalcField.php). Prior to version 4.6.6, the application inadequately sanitizes user-defined mathematical formulas, which are subsequently processed by the PHP eval() function. This flawed handling makes the system susceptible to Regular Expression Denial of Service (ReDoS), potentially allowing attackers to crash the server. The inherent risks include arbitrary code execution if an attacker successfully bypasses existing security controls. Version 4.6.6 addresses this vulnerability and enhances overall security.
Affected Version(s)
yeswiki < 4.6.6
