CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-52770

highCVSS 7.5covered by 1 sourcefirst seen 2026-07-09
Summary YesWiki’s public Bazar entry-listing APIs are vulnerable to unauthenticated SQL injection in numeric query / queries filters. For Bazar fields whose value structure is numeric, YesWiki escapes the attacker-controlled filter value but inserts it into SQL without quotes or numeric validation. An unauthenticated attacker can inject boolean SQL expressions and infer database contents from whether entries are returned. Details The public Bazar API reads attacker-controlled query filters from GET parameters: // tools/bazar/controllers/ApiController.php $vQuery = $_GET['query'] ?? $_GET['queries'] ?? null; $vQuery = $vSearchManager->aggregateQueries( !empty($selectedEntries) ? ['queries' => ['id_fiche' => $selectedEntries]] : [], isset($vQuery) ? urldecode($vQuery) : '' ); Relevant public routes include: @Route("/api/forms/{formId}/entries/{output}/{selectedEntries}", methods={"GET"}, options={"acl":{"public"}}) @Route("/api/entries/{output}/{selectedEntries}", methods={"GET"}, options={"acl":{"public"}}) @Route("/api/entries/bazarlist", methods={"GET"}, options={"acl":{"public"}}) The query is passed into BazarListService::getEntries() and then into SearchManager::search(): // tools/bazar/services/BazarListService.php $vLocalEntries = $vSearchManager->search( array_merge( $pOptions, [ 'formsIds' => $vLocalIDs, ] ), true, true ); The vulnerable sink is in SearchManager::buildQueriesConditions(): // tools/bazar/services/SearchManager.php if ($vDescriptor['_type_'] == 'number') { if (isset($vValue) && trim($vValue) !== '') { $vValueConditions[] = 'CAST(' . mysqli_real_escape_string($this->wiki->dblink, $this->renameJSONPathVariable($vFieldName)) . ' AS DOUBLE) ' . $vComparisonOperator . ' ' . mysqli_real_escape_string($this->wiki->dblink, $vValue); } } Because numeric values are not quoted, SQL syntax remains active after escaping. For example, the following value is accepted as part of the numeric expression: 100 OR (SELECT COUNT(*) FROM yeswiki_users)>0

⚡ Watch CVE-2026-52770

Get an email if CVE-2026-52770 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-52770

CVE.org record

Embed the live status

CVE-2026-52770 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-52770 status](https://www.csirts.com/badge/CVE-2026-52770)](https://www.csirts.com/cve/CVE-2026-52770)