Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
YesWiki allows attackers to inject malicious scripts into form titles
GHSA-37fq-47qj-6j5j
CVE-2026-34598
Summary
Attackers can inject JavaScript code into form titles, which can be executed in the browser of any user who views the page. This can happen even if the attacker doesn't have an account. To fix this, the YesWiki developers should update their system to properly sanitize and encode user input to prevent malicious scripts from being injected. Users should report any suspicious activity to the administrators.
What to do
- Update yeswiki yeswiki to version 4.6.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| yeswiki | yeswiki | <= 4.6.0 | 4.6.0 |
Original title
YesWiki has Persistant Blind XSS at "/?BazaR&vue=consulter"
Original description
### Summary
A stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authentication via a form title that is saved in the backend database. When any user visits that injected page, the JavaScript payload gets executed.
Type: Stored and Blind Cross-Site Scripting (XSS)
Affected Component: form title input field
Authentication Required: No (Unauthenticated attack possible)
Impact: Arbitrary JavaScript execution in victim’s browser
### Details
A Stored XSS vulnerability occurs when an application stores malicious user input (in this case, a script injected via the form title field) in its backend database and renders it later on a page viewed by other users without proper sanitization or encoding.
In this case, the attacker can inject JavaScript payloads in the title field of a form, which the application stores in the database. When any user, such as an admin or another visitor, views the page that displays this title, the malicious script executes in their browser context.
### PoC
- Visit `https://yeswiki.net/?BazaR&vue=formulaire` or `localhost/?BazaR&vue=formulaire` or
`https://ferme.yeswiki.net/[username]/?BazaR&vue=formulaire`
- Click on the `+` icon to add a record via the `Diary` form.
- Inject the payload like: `<script>alert(document.cookie)</script>` or `<script>alert(1)</script>` into `Name of the event` and `Description`
- Then save the record by clicking `To validate`
- The payload will be executed when anyone visits `/?BazaR&vue=consulter` also in the diary record
`/?wiki=BazaR&vue=consulter&action=recherche&q=&id=2&facette=`
The payload is persistant.
A stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authentication via a form title that is saved in the backend database. When any user visits that injected page, the JavaScript payload gets executed.
Type: Stored and Blind Cross-Site Scripting (XSS)
Affected Component: form title input field
Authentication Required: No (Unauthenticated attack possible)
Impact: Arbitrary JavaScript execution in victim’s browser
### Details
A Stored XSS vulnerability occurs when an application stores malicious user input (in this case, a script injected via the form title field) in its backend database and renders it later on a page viewed by other users without proper sanitization or encoding.
In this case, the attacker can inject JavaScript payloads in the title field of a form, which the application stores in the database. When any user, such as an admin or another visitor, views the page that displays this title, the malicious script executes in their browser context.
### PoC
- Visit `https://yeswiki.net/?BazaR&vue=formulaire` or `localhost/?BazaR&vue=formulaire` or
`https://ferme.yeswiki.net/[username]/?BazaR&vue=formulaire`
- Click on the `+` icon to add a record via the `Diary` form.
- Inject the payload like: `<script>alert(document.cookie)</script>` or `<script>alert(1)</script>` into `Name of the event` and `Description`
- Then save the record by clicking `To validate`
- The payload will be executed when anyone visits `/?BazaR&vue=consulter` also in the diary record
`/?wiki=BazaR&vue=consulter&action=recherche&q=&id=2&facette=`
The payload is persistant.
ghsa CVSS4.0
7.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
CWE-87
Published: 1 Apr 2026 · Updated: 1 Apr 2026 · First seen: 1 Apr 2026