CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-r5xw-gcgw-hwp5: YesWiki Vulnerable to Reflected XSS via Unescaped `id` Parameter in Bazar Widget HTML Attributes

mediumCVSS 6.1CVE-2026-52774
Summary YesWiki's Bazar widget handler reflects the id GET parameter into HTML attributes using strip_tags() only. Because strip_tags() does not escape double quotes, an attacker can break out of the attribute value, inject an event handler such as onmouseover, and execute arbitrary JavaScript in the victim's browser. This issue is reachable without authentication. During validation, the vulnerable widget route returned the injected HTML for both /HomePage/widget?id=... and /NoSuchPage/widget?id=..., which shows that no login, no page ownership, no edit rights, and not even a valid page tag were required. The only routing prerequisite observed was that the Bazar extension is enabled and the request includes an id parameter. Details The primary sink is in tools/bazar/presentation/templates/widget.tpl.html around lines 4-7, where $_GET['id'] is inserted into the data-formid attribute: data-formid="<?php echo strip_tags($_GET['id']); ?>" strip_tags() is not an output-encoding function. It removes HTML tags, but it does not escape characters such as double quotes, so an attacker can terminate the data-formid attribute and inject new attacker-controlled attributes. The route is served by tools/bazar/handlers/__WidgetHandler.php around lines 14-26, which only checks whether $_GET['id'] is present: if (!isset($_GET['id'])) { return null; } No HasAccess('read'), HasAccess('write'), or authentication check is performed before the vulnerable template is rendered. There is also a second reflection path in the same handler. The handler builds: $urlParams = 'id=' . strip_tags($_GET['id']) . ... and then places the resulting value into the widget template's data-iframeUrl attribute: data-iframeUrl="<?php echo $GLOBALS['wiki']->href('bazariframe', '', $urlparams, false); ?>" During validation, a single payload injected into id was reflected into both data-formid and data-iframeUrl, which confirms that the handler exposes multiple attribute-level sinks from the same uns

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium — CVSS 6.1
Published
2026-07-09
Last updated
2026-07-09
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-r5xw-gcgw-hwp5

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-52774coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories