YesWiki: Unauthenticated SQL Injection

Summary An unauthenticated SQL injection in the Bazar form-import path FormManager::create allows any unauthenticated visitor of a default YesWiki install to inject arbitrary SQL into an INSERT statement and read the full database, including yeswikiusers.password hashes. Present in 4.6.1 / 4.6.2 ...

EUVD-2018-1974

Malware in sbrugna...

EUVD-2025-0129

Malicious code in bioql PyPI...

EUVD-2025-0203

Malicious code in bioql PyPI...

EUVD-2025-12663

Malicious code in bioql PyPI...

EUVD-2025-12628

Malicious code in bioql PyPI...

EUVD-2025-12664

Malicious code in bioql PyPI...

EUVD-2025-12616

Malicious code in bioql PyPI...

EUVD-2025-12662

Malicious code in bioql PyPI...

EUVD-2025-12614

Malicious code in bioql PyPI...

EUVD-2025-12615

Malicious code in bioql PyPI...

Exploit for Path Traversal in Yeswiki

Blackash-CVE-2025-31131 CVE-2025-31131 - YesWiki 4.5.2 Path...

Reflected Cross-Site Scripting (Reflected XSS)

yeswiki/yeswiki is vulnerable to reflected cross-site scripting XSS. The vulnerability is due to improper sanitization of user input in the file upload form, which allows attackers to craft malicious links that execute arbitrary scripts in the victim’s browser...

Remote Code Execution (RCE)

yeswiki/yeswiki is vulnerable to Remote Code Execution RCE. The vulnerability is due to arbitrary file write, which allows attackers to upload PHP files that can be executed on the server...

Cross-Site Scripting (XSS)

yeswiki/yeswiki is vulnerable to Reflected Cross-Site Scripting Reflected XSS. The vulnerability is due to insufficient sanitization of user-supplied input in URLs, which allows attackers to inject malicious scripts that are reflected in the server’s response...

Cross-Site Scripting (XSS)

yeswiki/yeswiki is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to insufficient input sanitization of the idformulaire parameter on the /?BazaR endpoint, which allows attackers to perform reflected cross-site scripting attacks to steal session cookies, hijack user sessions,...

CVE-2025-46350

YesWiki is a wiki system written in PHP. Prior to version 4.5.4, an attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the user’s session. This vulnerability...

CVE-2025-46346

YesWiki is a wiki system written in PHP. Prior to version 4.5.4, a stored cross-site scripting XSS vulnerability was discovered in the application’s comments feature. This issue allows a malicious actor to inject JavaScript payloads that are stored and later executed in the browser of any user...

CVE-2025-46348

YesWiki is a wiki system written in PHP. Prior to version 4.5.4, the request to commence a site backup can be performed and downloaded without authentication. The archives are created with a predictable filename, so a malicious user could create and download an archive without being authenticated...

CVE-2025-46549

YesWiki is a wiki system written in PHP. Prior to version 4.5.4, an attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the user’s session. This vulnerability...