CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-52762

highcovered by 1 sourcefirst seen 2026-07-09
Summary YesWiki Bazar contains a stored Server-Side Template Injection (SSTI) vulnerability in the semantic template feature that can be escalated to confirmed Remote Code Execution (RCE). An authenticated administrator can place arbitrary Twig expressions into the Semantic template (Twig) field (bn_sem_template), and that content is later executed server-side when public semantic endpoints are requested. This was first confirmed through a harmless proof payload where {{ 7 * 7 }} was rendered as 49 through the public JSON-LD endpoint. The finding was then further validated locally by storing a Twig payload that invoked a system-level callable, resulting in command execution and an interactive shell on the test machine. Because the payload is stored in the form configuration and later triggered through a public endpoint, this issue is both persistent and remotely triggerable after an administrator plants the malicious template. Details The vulnerable behavior is in the Bazar semantic rendering flow. The administrator-editable fields: - bn_sem_template - bn_sem_reverse_template allow Twig template content to be stored inside a form definition. That content is later rendered by the backend semantic transformer through TemplateEngine::renderFromStringNoEscape(), which passes the user-controlled string into Twig for execution. Relevant sink: $json = $this->templateEngine->renderFromStringNoEscape($form['bn_sem_template'], $data); The rendering helper evaluates the supplied string as a live Twig template: public function renderFromStringNoEscape(string $templateString, array $data = []): string { $wrapped = '{% autoescape false %}' . $templateString . '{% endautoescape %}'; return $this->twig->createTemplate($wrapped)->render($data); } This is unsafe because administrator-controlled semantic template text is executed as server-side Twig code rather than treated as inert data. In the validated environment, Twig expressions were first confirmed to execute through

⚡ Watch CVE-2026-52762

Get an email if CVE-2026-52762 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-52762

CVE.org record

Embed the live status

CVE-2026-52762 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-52762 status](https://www.csirts.com/badge/CVE-2026-52762)](https://www.csirts.com/cve/CVE-2026-52762)