Lucene search
+L

65 matches found

Snyk
Snyk
added 2026/07/09 9:1 p.m.4 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper handling of the id parameter in the Bazar widget handler. An attacker can execute arbitrary JavaScript in the victim's browser by crafting a malicious URL that injects attacker-controlled attributes...

6.1CVSS6.2AI score0.00039EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/09 12:0 a.m.13 views

PT-2026-57034

Name of the Vulnerable Software and Affected Versions YesWiki version 4.6.5 Description An issue exists in the Bazar widget handler where the id GET parameter is reflected into HTML attributes using only the strip tags function. Since strip tags does not escape double quotes, an unauthenticated...

6.1CVSS6.3AI score0.00039EPSS
Exploits0References5
Nuclei
Nuclei
added 2026/06/15 7:3 a.m.11 views

YesWiki < 4.6.4 - Unauthenticated SQL Injection

YesWiki before version 4.6.4 contains an unauthenticated SQL injection vulnerability in the Bazar form-import path. The bnidnature parameter in FormManager::create is concatenated into an INSERT statement without sanitization, allowing unauthenticated attackers to inject arbitrary SQL and read th...

5.8AI score0.0004EPSS
Exploits0References2
CVE
CVE
added 2026/06/08 6:24 p.m.38 views

CVE-2026-52778

YesWiki (PHP-based wiki) exposes a vulnerability in the Bazar form field calculator (CalcField.php) present before version 4.6.6. The code attempts to sanitize user-defined mathematical formulas using a complex recursive regex prior to passing them to PHP eval(), creating a surface for Regular Ex...

9.8CVSS6AI score0.00561EPSS
Exploits0References3
OSV
OSV
added 2026/06/08 6:24 p.m.5 views

CVE-2026-52778 YesWiki has Unsafe eval() in Formula Calculator - Remote Code Execution (RCE) & Denial of Service (DoS)

YesWiki is a wiki system written in PHP. Prior to version 4.6.6, an unsafe execution vulnerability exists in the Bazar form field calculator CalcField.php of YesWiki. The application attempts to sanitize user-defined mathematical formulas using a complex recursive regular expression before passin...

9.8CVSS6.3AI score0.00561EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/08 12:0 a.m.21 views

PT-2026-47441

Name of the Vulnerable Software and Affected Versions YesWiki versions prior to 4.6.6 Description An unsafe execution issue exists in the Bazar form field calculator CalcField.php. The application uses a complex recursive regular expression to sanitize user-defined mathematical formulas before th...

9.8CVSS5.9AI score0.00561EPSS
Exploits0References11
CNNVD
CNNVD
added 2026/06/08 12:0 a.m.16 views

YesWiki 代码注入漏洞

YesWiki is a wiki system built using PHP, developed by the French organization YesWiki. It is used for creating and managing websites in a collaborative manner. Versions of YesWiki prior to 4.6.6 had a code injection vulnerability; this vulnerability stemmed from an insecure execution flaw in the...

9.8CVSS5.9AI score0.00561EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:21 p.m.13 views

CVE-2026-41143

YesWiki is a wiki system written in PHP. Prior to version 4.6.1, YesWiki bazar module contains a SQL injection vulnerability in tools/bazar/services/EntryManager.php at line 704. The $data'idfiche' value sourced from $POST'idfiche' is concatenated directly into a raw SQL query without any...

8.8CVSS5.5AI score0.00342EPSS
Exploits0References1
NVD
NVD
added 2026/05/07 6:16 a.m.14 views

CVE-2026-41143

YesWiki is a wiki system written in PHP. Prior to version 4.6.1, YesWiki bazar module contains a SQL injection vulnerability in tools/bazar/services/EntryManager.php at line 704. The $data'idfiche' value sourced from $POST'idfiche' is concatenated directly into a raw SQL query without any...

8.8CVSS0.00342EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/07 5:8 a.m.9 views

CVE-2026-41143 YesWiki vulnerable to authenticated SQL Injection via id_fiche in EntryManager::formatDataBeforeSave()

YesWiki is a wiki system written in PHP. Prior to version 4.6.1, YesWiki bazar module contains a SQL injection vulnerability in tools/bazar/services/EntryManager.php at line 704. The $data'idfiche' value sourced from $POST'idfiche' is concatenated directly into a raw SQL query without any...

8.8CVSS5.8AI score0.00342EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/07 5:8 a.m.29 views

EUVD-2026-28312

YesWiki is a wiki system written in PHP. Prior to version 4.6.1, YesWiki bazar module contains a SQL injection vulnerability in tools/bazar/services/EntryManager.php at line 704. The $data'idfiche' value sourced from $POST'idfiche' is concatenated directly into a raw SQL query without any...

8.8CVSS5.8AI score0.00342EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/07 5:8 a.m.8 views

CVE-2026-41143

YesWiki is a wiki system written in PHP. Prior to version 4.6.1, YesWiki bazar module contains a SQL injection vulnerability in tools/bazar/services/EntryManager.php at line 704. The $data'idfiche' value sourced from $POST'idfiche' is concatenated directly into a raw SQL query without any...

8.8CVSS5.8AI score0.00342EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/05/07 5:8 a.m.23 views

CVE-2026-41143

YesWiki contains an authenticated SQL injection in the bazar module, via id_fiche in EntryManager::formatDataBeforeSave() (code path: tools/bazar/services/EntryManager.php:704). The vulnerable query concatenates $_POST['id_fiche'] into SQL without sanitization, e.g. selecting MIN(time) from pages...

8.8CVSS5.8AI score0.00342EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/07 5:8 a.m.43 views

CVE-2026-41143 YesWiki vulnerable to authenticated SQL Injection via id_fiche in EntryManager::formatDataBeforeSave()

YesWiki is a wiki system written in PHP. Prior to version 4.6.1, YesWiki bazar module contains a SQL injection vulnerability in tools/bazar/services/EntryManager.php at line 704. The $data'idfiche' value sourced from $POST'idfiche' is concatenated directly into a raw SQL query without any...

8.8CVSS0.00342EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/18 1:0 a.m.15 views

YesWiki vulnerable to authenticated SQL Injection via id_fiche in EntryManager::formatDataBeforeSave()

Vulnerability Details YesWiki bazar module contains a SQL injection vulnerability in tools/bazar/services/EntryManager.php at line 704. The $data'idfiche' value sourced from $POST'idfiche' is concatenated directly into a raw SQL query without any sanitization or parameterization. Vulnerable Code...

8.8CVSS5.9AI score0.00342EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/18 12:0 a.m.17 views

PT-2026-37109

Name of the Vulnerable Software and Affected Versions YesWiki versions prior to 4.6.1 Description The bazar module contains a SQL injection flaw in the tools/bazar/services/EntryManager.php file. The issue occurs because the id fiche value, sourced from the $ POST'id fiche' variable, is...

8.8CVSS6.1AI score0.00342EPSS
Exploits0References5
EUVD
EUVD
added 2025/10/07 12:30 a.m.6 views

EUVD-2018-4995

Malware in sbrugna...

9.8CVSS9.4AI score0.03213EPSS
Exploits5References4
EUVD
EUVD
added 2025/10/03 8:7 p.m.4 views

EUVD-2022-37887

Malicious code in bioql PyPI...

9.8CVSS9.2AI score0.00909EPSS
Exploits1References1
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2022-52362

Malicious code in bioql PyPI...

4.8CVSS5.2AI score0.00758EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2025/05/22 11:1 p.m.8 views

CVE-2022-34989

Fruits Bazar v1.0 was discovered to contain a SQL injection vulnerability via the recoveremail parameter at userpasswordrecover.php...

9.8CVSS8.3AI score0.00909EPSS
Exploits1References1
Rows per page
Query Builder