CVE-2026-52766
Summary
The {{erasespamedcomments}} wiki action (actions/EraseSpamedCommentsAction.php) accepts a suppr[] array from POST and deletes every wiki page whose tag appears in that array, with no authorization check anywhere in the action body or in the page-deletion path it invokes. Combined with YesWiki's allow-by-default action ACL model, any user who has page write access, which is the default for everyone (default_write_acl='*') on a fresh install can permanently delete arbitrary wiki pages, including the front page, admin pages, and pages owned by other users.
The action's delete() callee is PageManager::deleteOrphaned(), which despite its name does not check whether the target page is orphaned: it issues an unconditional DELETE against pages, links, acls, triples, referrers, and tags tables.
Details
Three issues compose the vulnerability.
1. actions/EraseSpamedCommentsAction.php performs no authorization check before processing $_POST['clean'] / $_POST['suppr'][] in actions/EraseSpamedCommentsAction.php:
public function run()
{
$wiki = &$this->wiki;
ob_start();
// ...
elseif (isset($_POST['clean'])) {
$deletedPages = '';
if (!empty($_POST['suppr'])) {
foreach ($_POST['suppr'] as $page) {
echo 'Effacement de : ' . $page . "<br />\n";
if ($wiki->services->get(PageController::class)->delete($page)) {
$deletedPages .= $page . ', ';
}
}
}
}
}
No UserIsAdmin(), no UserIsOwner(), no HasAccess('write', $page) per-target check, no CSRF token check.
2. The default action ACL grants access to everyone in includes/YesWiki.php:
$acl = empty($this->config['permissions'][$moduleType][$module])
? '*'
: $this->config['permissions'][$moduleType][$module];
if ($acl === null) { return true; }
return $this->CheckACL($acl, $user);
No shipped permissions map gates erasespamedcomments to admins, so Performer::CheckModuleACL('erasespamedcomments', 'action') returns true for anonymous users.
3. PageController::delete() and PageManager::deleteOrphaned() perform no authorization
⚡ Watch CVE-2026-52766
Get an email if CVE-2026-52766 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Advisory coverage (1)
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-52766)