Unsecured Execution Vulnerability in YesWiki Wiki System
CVE-2026-52778

9.8CRITICAL

Key Information:

Vendor

Yeswiki

Status
Vendor
CVE Published:
8 June 2026

What is CVE-2026-52778?

YesWiki, a PHP-based wiki system, experiences an unsafe execution vulnerability in the Bazar form field calculator (CalcField.php). Prior to version 4.6.6, the application inadequately sanitizes user-defined mathematical formulas, which are subsequently processed by the PHP eval() function. This flawed handling makes the system susceptible to Regular Expression Denial of Service (ReDoS), potentially allowing attackers to crash the server. The inherent risks include arbitrary code execution if an attacker successfully bypasses existing security controls. Version 4.6.6 addresses this vulnerability and enhances overall security.

Affected Version(s)

yeswiki < 4.6.6

References

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.