Executive Summary

CVE-2026-34598 is a stored and blind Cross-Site Scripting (XSS) vulnerability in YesWiki versions prior to 4.6.0. It exists in the form title input field, where an attacker can inject arbitrary JavaScript code without needing to authenticate.

The injected JavaScript is saved in the backend database and executed in the browsers of any users who visit the affected page, such as administrators or other visitors.

This vulnerability arises because user input is not properly neutralized before being rendered on web pages, allowing malicious scripts to run.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows attackers to execute arbitrary JavaScript in the browsers of users who visit the affected pages.

• Session hijacking
• Data theft
• Reputational damage

Privileged users, such as administrators, are especially at risk because the malicious script can execute in their browsers, potentially compromising the entire system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for the presence of malicious JavaScript payloads injected into the form title or diary form fields such as "Name of the event" and "Description" in YesWiki pages.

You can manually inspect URLs like `https://your-yeswiki-instance/?BazaR&vue=formulaire` to see if any suspicious scripts are present in the input fields.

To detect the vulnerability via commands, you can use tools like curl or wget to fetch the affected pages and grep or search for suspicious script tags.

• curl -s 'https://your-yeswiki-instance/?BazaR&vue=consulter&id=2' | grep -i '<script>'
• curl -s 'https://your-yeswiki-instance/?wiki=BazaR&vue=consulter&action=recherche&q=&id=2&facette=' | grep -i '<script>'

If you find JavaScript code embedded in these pages without proper sanitization, it indicates the presence of the stored XSS vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade YesWiki to version 4.6.0 or later, where this stored and blind XSS vulnerability has been patched.

Until the upgrade can be performed, restrict access to the vulnerable form fields to trusted users only, and avoid visiting or sharing URLs that may contain injected scripts.

Additionally, review and sanitize any existing data in the form title or diary fields to remove malicious JavaScript payloads.

Implement web application firewall (WAF) rules to detect and block suspicious script injections targeting the form title or diary input fields.

Useful 0 Not Useful 0

Compliance Impact

The stored and blind XSS vulnerability in YesWiki allows attackers to inject and execute arbitrary JavaScript code in users' browsers, which can lead to session hijacking and data theft.

Such unauthorized access and potential exposure of personal or sensitive data can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding user data and preventing unauthorized access.

Because the vulnerability enables execution of malicious scripts without authentication and affects privileged users such as administrators, it increases the risk of data breaches and reputational damage, further complicating regulatory compliance.

Useful 0 Not Useful 0