GHSA-qg78-vmvc-fhjw: YesWiki: SQL Injection possible through public Bazar entry-listing APIs via numeric `query`/`queries` filters
Summary
YesWiki’s public Bazar entry-listing APIs are vulnerable to unauthenticated SQL injection in numeric query / queries filters.
For Bazar fields whose value structure is numeric, YesWiki escapes the attacker-controlled filter value but inserts it into SQL without quotes or numeric validation. An unauthenticated attacker can inject boolean SQL expressions and infer database contents from whether entries are returned.
Details
The public Bazar API reads attacker-controlled query filters from GET parameters:
// tools/bazar/controllers/ApiController.php
$vQuery = $_GET['query'] ?? $_GET['queries'] ?? null;
$vQuery = $vSearchManager->aggregateQueries(
!empty($selectedEntries) ? ['queries' => ['id_fiche' => $selectedEntries]] : [],
isset($vQuery) ? urldecode($vQuery) : ''
);
Relevant public routes include:
@Route("/api/forms/{formId}/entries/{output}/{selectedEntries}", methods={"GET"}, options={"acl":{"public"}})
@Route("/api/entries/{output}/{selectedEntries}", methods={"GET"}, options={"acl":{"public"}})
@Route("/api/entries/bazarlist", methods={"GET"}, options={"acl":{"public"}})
The query is passed into BazarListService::getEntries() and then into SearchManager::search():
// tools/bazar/services/BazarListService.php
$vLocalEntries = $vSearchManager->search(
array_merge(
$pOptions,
[
'formsIds' => $vLocalIDs,
]
),
true,
true
);
The vulnerable sink is in SearchManager::buildQueriesConditions():
// tools/bazar/services/SearchManager.php
if ($vDescriptor['_type_'] == 'number') {
if (isset($vValue) && trim($vValue) !== '') {
$vValueConditions[] = 'CAST(' . mysqli_real_escape_string($this->wiki->dblink, $this->renameJSONPathVariable($vFieldName)) . ' AS DOUBLE) ' . $vComparisonOperator . ' ' . mysqli_real_escape_string($this->wiki->dblink, $vValue);
}
}
Because numeric values are not quoted, SQL syntax remains active after escaping. For example, the following value is accepted as part of the numeric expression:
100 OR (SELECT COUNT(*) FROM yeswiki_users)>0
Details
Original advisory: https://github.com/advisories/GHSA-qg78-vmvc-fhjw
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-52770 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10