GHSA-65p8-9433-jpcp: YesWiki: Authenticated (Admin) Server-Side Template Injection to Remote Code Execution via Bazar Semantic Templates
Summary
YesWiki Bazar contains a stored Server-Side Template Injection (SSTI) vulnerability in the semantic template feature that can be escalated to confirmed Remote Code Execution (RCE). An authenticated administrator can place arbitrary Twig expressions into the Semantic template (Twig) field (bn_sem_template), and that content is later executed server-side when public semantic endpoints are requested.
This was first confirmed through a harmless proof payload where {{ 7 * 7 }} was rendered as 49 through the public JSON-LD endpoint. The finding was then further validated locally by storing a Twig payload that invoked a system-level callable, resulting in command execution and an interactive shell on the test machine.
Because the payload is stored in the form configuration and later triggered through a public endpoint, this issue is both persistent and remotely triggerable after an administrator plants the malicious template.
Details
The vulnerable behavior is in the Bazar semantic rendering flow.
The administrator-editable fields:
- bn_sem_template
- bn_sem_reverse_template
allow Twig template content to be stored inside a form definition. That content is later rendered by the backend semantic transformer through TemplateEngine::renderFromStringNoEscape(), which passes the user-controlled string into Twig for execution.
Relevant sink:
$json = $this->templateEngine->renderFromStringNoEscape($form['bn_sem_template'], $data);
The rendering helper evaluates the supplied string as a live Twig template:
public function renderFromStringNoEscape(string $templateString, array $data = []): string
{
$wrapped = '{% autoescape false %}' . $templateString . '{% endautoescape %}';
return $this->twig->createTemplate($wrapped)->render($data);
}
This is unsafe because administrator-controlled semantic template text is executed as server-side Twig code rather than treated as inert data. In the validated environment, Twig expressions were first confirmed to execute through
Details
Original advisory: https://github.com/advisories/GHSA-65p8-9433-jpcp
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-52762 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10