CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-52766

criticalCVSS 9.1covered by 1 sourcefirst seen 2026-07-09
Summary The {{erasespamedcomments}} wiki action (actions/EraseSpamedCommentsAction.php) accepts a suppr[] array from POST and deletes every wiki page whose tag appears in that array, with no authorization check anywhere in the action body or in the page-deletion path it invokes. Combined with YesWiki's allow-by-default action ACL model, any user who has page write access, which is the default for everyone (default_write_acl='*') on a fresh install can permanently delete arbitrary wiki pages, including the front page, admin pages, and pages owned by other users. The action's delete() callee is PageManager::deleteOrphaned(), which despite its name does not check whether the target page is orphaned: it issues an unconditional DELETE against pages, links, acls, triples, referrers, and tags tables. Details Three issues compose the vulnerability. 1. actions/EraseSpamedCommentsAction.php performs no authorization check before processing $_POST['clean'] / $_POST['suppr'][] in actions/EraseSpamedCommentsAction.php: public function run() { $wiki = &$this->wiki; ob_start(); // ... elseif (isset($_POST['clean'])) { $deletedPages = ''; if (!empty($_POST['suppr'])) { foreach ($_POST['suppr'] as $page) { echo 'Effacement de : ' . $page . "<br />\n"; if ($wiki->services->get(PageController::class)->delete($page)) { $deletedPages .= $page . ', '; } } } } } No UserIsAdmin(), no UserIsOwner(), no HasAccess('write', $page) per-target check, no CSRF token check. 2. The default action ACL grants access to everyone in includes/YesWiki.php: $acl = empty($this->config['permissions'][$moduleType][$module]) ? '*' : $this->config['permissions'][$moduleType][$module]; if ($acl === null) { return true; } return $this->CheckACL($acl, $user); No shipped permissions map gates erasespamedcomments to admins, so Performer::CheckModuleACL('erasespamedcomments', 'action') returns true for anonymous users. 3. PageController::delete() and PageManager::deleteOrphaned() perform no authorization

⚡ Watch CVE-2026-52766

Get an email if CVE-2026-52766 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-52766

CVE.org record

Embed the live status

CVE-2026-52766 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-52766 status](https://www.csirts.com/badge/CVE-2026-52766)](https://www.csirts.com/cve/CVE-2026-52766)