CVE-2026-41143
Deferred Deferred - Pending Action
SQL Injection in YesWiki Bazar Module

Publication date: 2026-05-07

Last updated on: 2026-05-07

Assigner: GitHub, Inc.

Description
YesWiki is a wiki system written in PHP. Prior to version 4.6.1, YesWiki bazar module contains a SQL injection vulnerability in tools/bazar/services/EntryManager.php at line 704. The $data['id_fiche'] value (sourced from $_POST['id_fiche']) is concatenated directly into a raw SQL query without any sanitization or parameterization. This issue has been patched in version 4.6.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41143
EUVD
EUVD-2026-28312
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yeswiki yeswiki to 4.6.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41143 is an authenticated SQL injection vulnerability in the YesWiki software, specifically in versions 4.6.0 and earlier. The issue occurs in the bazar module's EntryManager::formatDataBeforeSave() function, where user input from the POST parameter 'id_fiche' is directly concatenated into a SQL query without any sanitization or parameterization.

This flaw allows an authenticated attacker to inject malicious SQL commands, potentially leading to time-based blind SQL injection attacks and full database exfiltration.

The vulnerability arises because the input is not escaped or handled safely, enabling attackers to manipulate the SQL query executed by the application.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to sensitive data, data corruption, and denial of service.

  • Confidentiality: Attackers can exfiltrate the entire database, exposing sensitive information.
  • Integrity: Malicious SQL commands can alter or delete data, compromising data integrity.
  • Availability: Time-based blind SQL injection can be used to cause delays or crashes, affecting the availability of the service.
Detection Guidance

This vulnerability can be detected by sending authenticated POST requests to the endpoint /api/entries/{formId} with specially crafted payloads in the id_fiche parameter to test for SQL injection.

  • Use a payload like ' OR SLEEP(3) OR ' to check for time-based blind SQL injection by observing response delays.
  • Use error-based payloads such as ' AND extractvalue(1,concat(0x7e,@@version))-- -' to trigger SQL errors that reveal database version information.

These tests require authentication and can be performed using tools like curl or specialized SQL injection testing tools.

Mitigation Strategies

The immediate mitigation step is to upgrade YesWiki to version 4.6.1 or later, where this SQL injection vulnerability has been patched.

If upgrading immediately is not possible, restrict access to the vulnerable endpoint and ensure only trusted authenticated users can access it.

Additionally, monitor and audit logs for suspicious POST requests to /api/entries/{formId} that may indicate exploitation attempts.

Compliance Impact

The SQL injection vulnerability in YesWiki allows authenticated attackers to execute arbitrary SQL commands, potentially leading to full database exfiltration. This can compromise the confidentiality, integrity, and availability of sensitive data stored within the system.

Such a compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Failure to patch this vulnerability could result in unauthorized disclosure or alteration of protected data, thereby violating regulatory requirements for data security and privacy.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41143. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart