CVE-2026-41143
SQL Injection in YesWiki Bazar Module
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yeswiki | yeswiki | to 4.6.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41143 is an authenticated SQL injection vulnerability in the YesWiki software, specifically in versions 4.6.0 and earlier. The issue occurs in the bazar module's EntryManager::formatDataBeforeSave() function, where user input from the POST parameter 'id_fiche' is directly concatenated into a SQL query without any sanitization or parameterization.
This flaw allows an authenticated attacker to inject malicious SQL commands, potentially leading to time-based blind SQL injection attacks and full database exfiltration.
The vulnerability arises because the input is not escaped or handled safely, enabling attackers to manipulate the SQL query executed by the application.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to sensitive data, data corruption, and denial of service.
- Confidentiality: Attackers can exfiltrate the entire database, exposing sensitive information.
- Integrity: Malicious SQL commands can alter or delete data, compromising data integrity.
- Availability: Time-based blind SQL injection can be used to cause delays or crashes, affecting the availability of the service.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending authenticated POST requests to the endpoint /api/entries/{formId} with specially crafted payloads in the id_fiche parameter to test for SQL injection.
- Use a payload like ' OR SLEEP(3) OR ' to check for time-based blind SQL injection by observing response delays.
- Use error-based payloads such as ' AND extractvalue(1,concat(0x7e,@@version))-- -' to trigger SQL errors that reveal database version information.
These tests require authentication and can be performed using tools like curl or specialized SQL injection testing tools.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade YesWiki to version 4.6.1 or later, where this SQL injection vulnerability has been patched.
If upgrading immediately is not possible, restrict access to the vulnerable endpoint and ensure only trusted authenticated users can access it.
Additionally, monitor and audit logs for suspicious POST requests to /api/entries/{formId} that may indicate exploitation attempts.