CVE-2026-52778
Received Received - Intake
Unsafe eval() in YesWiki Bazar CalcField.php ReDoS Risk

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: GitHub, Inc.

Description
YesWiki is a wiki system written in PHP. Prior to version 4.6.6, an unsafe execution vulnerability exists in the Bazar form field calculator (CalcField.php) of YesWiki. The application attempts to sanitize user-defined mathematical formulas using a complex recursive regular expression before passing them to the PHP eval() function. This implementation is inherently flawed: it is vulnerable to Regular Expression Denial of Service (ReDoS / Stack Overflow) which can crash the server, and it creates a high-risk architecture where any logic bypass directly results in arbitrary PHP code execution. Version 4.6.6 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-09
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-52778
EUVD
EUVD-2026-35181
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yeswiki yeswiki to 4.6.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in YesWiki, a PHP-based wiki system, specifically in the Bazar form field calculator (CalcField.php) before version 4.6.6. The application tries to sanitize user-defined mathematical formulas using a complex recursive regular expression before passing them to the PHP eval() function. However, this sanitization is flawed, making the system vulnerable to Regular Expression Denial of Service (ReDoS) attacks that can crash the server. Moreover, this vulnerability creates a high-risk situation where any bypass of the logic can lead to arbitrary PHP code execution.

Compliance Impact

The vulnerability in YesWiki allows for Remote Code Execution (RCE) and Denial of Service (DoS), which can lead to unauthorized access, data breaches, and service outages.

Such security issues can impact compliance with standards and regulations like GDPR and HIPAA, which require protection of data confidentiality, integrity, and availability.

Specifically, a successful attack exploiting this vulnerability could compromise sensitive data or disrupt service, potentially resulting in violations of these regulations' security requirements.

Remediation by upgrading to version 4.6.6, which replaces unsafe eval() calls with a secure parser, is necessary to maintain compliance and reduce risk.

Detection Guidance

This vulnerability exists in YesWiki versions 4.6.5 and earlier, specifically in the Bazar form field calculator (CalcField.php) where unsafe use of eval() combined with flawed regex sanitization occurs.

To detect if your system is vulnerable, you can check the version of YesWiki installed on your server. Versions prior to 4.6.6 are affected.

Suggested commands to detect the vulnerable version include:

  • Check the YesWiki version by inspecting the version file or using command line if available, for example: `grep 'Version' /path/to/yeswiki/version.txt` or `cat /path/to/yeswiki/version.txt`.
  • Search for the presence of the vulnerable CalcField.php file and inspect its contents for usage of eval() with regex sanitization: `grep -r 'eval' /path/to/yeswiki/extensions/Bazar/CalcField.php`.
  • Monitor server logs for signs of ReDoS attacks or crashes related to the Bazar calculator, such as repeated stack overflow or PHP fatal errors.

No specific network detection commands or signatures are provided in the available resources, so detection primarily relies on version checking and code inspection.

Impact Analysis

The vulnerability can have severe impacts including crashing the server due to a Regular Expression Denial of Service (ReDoS) attack. More critically, it allows an attacker to execute arbitrary PHP code on the server, which can lead to full system compromise, data theft, data manipulation, or further exploitation of the affected system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade YesWiki to version 4.6.6 or later, as this version patches the unsafe execution vulnerability in the Bazar form field calculator (CalcField.php).

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52778. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart