CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-52774

mediumCVSS 6.1covered by 1 sourcefirst seen 2026-07-09
Summary YesWiki's Bazar widget handler reflects the id GET parameter into HTML attributes using strip_tags() only. Because strip_tags() does not escape double quotes, an attacker can break out of the attribute value, inject an event handler such as onmouseover, and execute arbitrary JavaScript in the victim's browser. This issue is reachable without authentication. During validation, the vulnerable widget route returned the injected HTML for both /HomePage/widget?id=... and /NoSuchPage/widget?id=..., which shows that no login, no page ownership, no edit rights, and not even a valid page tag were required. The only routing prerequisite observed was that the Bazar extension is enabled and the request includes an id parameter. Details The primary sink is in tools/bazar/presentation/templates/widget.tpl.html around lines 4-7, where $_GET['id'] is inserted into the data-formid attribute: data-formid="<?php echo strip_tags($_GET['id']); ?>" strip_tags() is not an output-encoding function. It removes HTML tags, but it does not escape characters such as double quotes, so an attacker can terminate the data-formid attribute and inject new attacker-controlled attributes. The route is served by tools/bazar/handlers/__WidgetHandler.php around lines 14-26, which only checks whether $_GET['id'] is present: if (!isset($_GET['id'])) { return null; } No HasAccess('read'), HasAccess('write'), or authentication check is performed before the vulnerable template is rendered. There is also a second reflection path in the same handler. The handler builds: $urlParams = 'id=' . strip_tags($_GET['id']) . ... and then places the resulting value into the widget template's data-iframeUrl attribute: data-iframeUrl="<?php echo $GLOBALS['wiki']->href('bazariframe', '', $urlparams, false); ?>" During validation, a single payload injected into id was reflected into both data-formid and data-iframeUrl, which confirms that the handler exposes multiple attribute-level sinks from the same uns

⚡ Watch CVE-2026-52774

Get an email if CVE-2026-52774 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-52774

CVE.org record

Embed the live status

CVE-2026-52774 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-52774 status](https://www.csirts.com/badge/CVE-2026-52774)](https://www.csirts.com/cve/CVE-2026-52774)