CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-qg78-vmvc-fhjw: YesWiki: SQL Injection possible through public Bazar entry-listing APIs via numeric `query`/`queries` filters

highCVSS 7.5CVE-2026-52770
Summary YesWiki’s public Bazar entry-listing APIs are vulnerable to unauthenticated SQL injection in numeric query / queries filters. For Bazar fields whose value structure is numeric, YesWiki escapes the attacker-controlled filter value but inserts it into SQL without quotes or numeric validation. An unauthenticated attacker can inject boolean SQL expressions and infer database contents from whether entries are returned. Details The public Bazar API reads attacker-controlled query filters from GET parameters: // tools/bazar/controllers/ApiController.php $vQuery = $_GET['query'] ?? $_GET['queries'] ?? null; $vQuery = $vSearchManager->aggregateQueries( !empty($selectedEntries) ? ['queries' => ['id_fiche' => $selectedEntries]] : [], isset($vQuery) ? urldecode($vQuery) : '' ); Relevant public routes include: @Route("/api/forms/{formId}/entries/{output}/{selectedEntries}", methods={"GET"}, options={"acl":{"public"}}) @Route("/api/entries/{output}/{selectedEntries}", methods={"GET"}, options={"acl":{"public"}}) @Route("/api/entries/bazarlist", methods={"GET"}, options={"acl":{"public"}}) The query is passed into BazarListService::getEntries() and then into SearchManager::search(): // tools/bazar/services/BazarListService.php $vLocalEntries = $vSearchManager->search( array_merge( $pOptions, [ 'formsIds' => $vLocalIDs, ] ), true, true ); The vulnerable sink is in SearchManager::buildQueriesConditions(): // tools/bazar/services/SearchManager.php if ($vDescriptor['_type_'] == 'number') { if (isset($vValue) && trim($vValue) !== '') { $vValueConditions[] = 'CAST(' . mysqli_real_escape_string($this->wiki->dblink, $this->renameJSONPathVariable($vFieldName)) . ' AS DOUBLE) ' . $vComparisonOperator . ' ' . mysqli_real_escape_string($this->wiki->dblink, $vValue); } } Because numeric values are not quoted, SQL syntax remains active after escaping. For example, the following value is accepted as part of the numeric expression: 100 OR (SELECT COUNT(*) FROM yeswiki_users)>0

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
high — CVSS 7.5
Published
2026-07-09
Last updated
2026-07-09
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-qg78-vmvc-fhjw

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-52770coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories