CVE-2026-52770
Summary
YesWiki’s public Bazar entry-listing APIs are vulnerable to unauthenticated SQL injection in numeric query / queries filters.
For Bazar fields whose value structure is numeric, YesWiki escapes the attacker-controlled filter value but inserts it into SQL without quotes or numeric validation. An unauthenticated attacker can inject boolean SQL expressions and infer database contents from whether entries are returned.
Details
The public Bazar API reads attacker-controlled query filters from GET parameters:
// tools/bazar/controllers/ApiController.php
$vQuery = $_GET['query'] ?? $_GET['queries'] ?? null;
$vQuery = $vSearchManager->aggregateQueries(
!empty($selectedEntries) ? ['queries' => ['id_fiche' => $selectedEntries]] : [],
isset($vQuery) ? urldecode($vQuery) : ''
);
Relevant public routes include:
@Route("/api/forms/{formId}/entries/{output}/{selectedEntries}", methods={"GET"}, options={"acl":{"public"}})
@Route("/api/entries/{output}/{selectedEntries}", methods={"GET"}, options={"acl":{"public"}})
@Route("/api/entries/bazarlist", methods={"GET"}, options={"acl":{"public"}})
The query is passed into BazarListService::getEntries() and then into SearchManager::search():
// tools/bazar/services/BazarListService.php
$vLocalEntries = $vSearchManager->search(
array_merge(
$pOptions,
[
'formsIds' => $vLocalIDs,
]
),
true,
true
);
The vulnerable sink is in SearchManager::buildQueriesConditions():
// tools/bazar/services/SearchManager.php
if ($vDescriptor['_type_'] == 'number') {
if (isset($vValue) && trim($vValue) !== '') {
$vValueConditions[] = 'CAST(' . mysqli_real_escape_string($this->wiki->dblink, $this->renameJSONPathVariable($vFieldName)) . ' AS DOUBLE) ' . $vComparisonOperator . ' ' . mysqli_real_escape_string($this->wiki->dblink, $vValue);
}
}
Because numeric values are not quoted, SQL syntax remains active after escaping. For example, the following value is accepted as part of the numeric expression:
100 OR (SELECT COUNT(*) FROM yeswiki_users)>0
⚡ Watch CVE-2026-52770
Get an email if CVE-2026-52770 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Advisory coverage (1)
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-52770)