CVE-2026-34598
Stored XSS in YesWiki Form Title Allows Remote Script Execution
Publication date: 2026-04-02
Last updated on: 2026-04-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yeswiki | yeswiki | to 4.6.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-87 | The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34598 is a stored and blind Cross-Site Scripting (XSS) vulnerability in YesWiki versions prior to 4.6.0. It exists in the form title input field, where an attacker can inject arbitrary JavaScript code without needing to authenticate.
The injected JavaScript is saved in the backend database and executed in the browsers of any users who visit the affected page, such as administrators or other visitors.
This vulnerability arises because user input is not properly neutralized before being rendered on web pages, allowing malicious scripts to run.
How can this vulnerability impact me? :
The vulnerability allows attackers to execute arbitrary JavaScript in the browsers of users who visit the affected pages.
- Session hijacking
- Data theft
- Reputational damage
Privileged users, such as administrators, are especially at risk because the malicious script can execute in their browsers, potentially compromising the entire system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of malicious JavaScript payloads injected into the form title or diary form fields such as "Name of the event" and "Description" in YesWiki pages.
You can manually inspect URLs like `https://your-yeswiki-instance/?BazaR&vue=formulaire` to see if any suspicious scripts are present in the input fields.
To detect the vulnerability via commands, you can use tools like curl or wget to fetch the affected pages and grep or search for suspicious script tags.
- curl -s 'https://your-yeswiki-instance/?BazaR&vue=consulter&id=2' | grep -i '<script>'
- curl -s 'https://your-yeswiki-instance/?wiki=BazaR&vue=consulter&action=recherche&q=&id=2&facette=' | grep -i '<script>'
If you find JavaScript code embedded in these pages without proper sanitization, it indicates the presence of the stored XSS vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade YesWiki to version 4.6.0 or later, where this stored and blind XSS vulnerability has been patched.
Until the upgrade can be performed, restrict access to the vulnerable form fields to trusted users only, and avoid visiting or sharing URLs that may contain injected scripts.
Additionally, review and sanitize any existing data in the form title or diary fields to remove malicious JavaScript payloads.
Implement web application firewall (WAF) rules to detect and block suspicious script injections targeting the form title or diary input fields.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The stored and blind XSS vulnerability in YesWiki allows attackers to inject and execute arbitrary JavaScript code in users' browsers, which can lead to session hijacking and data theft.
Such unauthorized access and potential exposure of personal or sensitive data can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding user data and preventing unauthorized access.
Because the vulnerability enables execution of malicious scripts without authentication and affects privileged users such as administrators, it increases the risk of data breaches and reputational damage, further complicating regulatory compliance.