CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-65p8-9433-jpcp: YesWiki: Authenticated (Admin) Server-Side Template Injection to Remote Code Execution via Bazar Semantic Templates

highCVE-2026-52762
Summary YesWiki Bazar contains a stored Server-Side Template Injection (SSTI) vulnerability in the semantic template feature that can be escalated to confirmed Remote Code Execution (RCE). An authenticated administrator can place arbitrary Twig expressions into the Semantic template (Twig) field (bn_sem_template), and that content is later executed server-side when public semantic endpoints are requested. This was first confirmed through a harmless proof payload where {{ 7 * 7 }} was rendered as 49 through the public JSON-LD endpoint. The finding was then further validated locally by storing a Twig payload that invoked a system-level callable, resulting in command execution and an interactive shell on the test machine. Because the payload is stored in the form configuration and later triggered through a public endpoint, this issue is both persistent and remotely triggerable after an administrator plants the malicious template. Details The vulnerable behavior is in the Bazar semantic rendering flow. The administrator-editable fields: - bn_sem_template - bn_sem_reverse_template allow Twig template content to be stored inside a form definition. That content is later rendered by the backend semantic transformer through TemplateEngine::renderFromStringNoEscape(), which passes the user-controlled string into Twig for execution. Relevant sink: $json = $this->templateEngine->renderFromStringNoEscape($form['bn_sem_template'], $data); The rendering helper evaluates the supplied string as a live Twig template: public function renderFromStringNoEscape(string $templateString, array $data = []): string { $wrapped = '{% autoescape false %}' . $templateString . '{% endautoescape %}'; return $this->twig->createTemplate($wrapped)->render($data); } This is unsafe because administrator-controlled semantic template text is executed as server-side Twig code rather than treated as inert data. In the validated environment, Twig expressions were first confirmed to execute through

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
high
Published
2026-07-09
Last updated
2026-07-09
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-65p8-9433-jpcp

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-52762coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories