CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-52777

criticalcovered by 1 sourcefirst seen 2026-07-09
Details Sink tools/bazar/services/CSVManager.php line 372-399: public function importEntry(array $importedEntries, string $formId): ?array { if (!$this->importdone) { // ... foreach ($importedEntries as $entry) { $entry = unserialize(base64_decode($entry)); // <-- SINK $entry = array_map('strval', $entry); // ... There is no ['allowed_classes' => false] argument; arbitrary classes are instantiated. The subsequent array_map('strval', $entry) additionally exercises __toString on each top-level array element, doubling the magic-method surface available to a gadget chain. Source tools/bazar/actions/BazarImportAction.php: // formatArguments() 'mode' => (isset($_POST['submit_file']) && !empty($_FILES['fileimport']['name'])) ? 'submitfile' : (isset($_POST['importfiche']) ? 'importentries' : 'default'), 'importentries' => $_POST['importfiche'] ?? null, // run() case 'importentries': // ... $importedEntries = $this->CSVManager->importEntry($this->arguments['importentries'], $vID['id']); break; $_POST['importfiche'] flows directly to the sink. The mode switches to 'importentries' whenever the request body contains the key, so an attacker need only POST importfiche[0]=<payload>. Reachability 1. The action is registered as bazarimport. The default BazaR page (setup/sql/default-content.sql -> BazaR page entry, ships with {{bazar showexportbuttons="1"}}) routes ?BazaR&vue=importer&id_typeannonce=<N> to BazarAction::run() -> case VOIR_IMPORTER -> callAction('bazarimport', ...) (tools/bazar/actions/BazarAction.php:257-258). So the sink is reachable on a default install with no extra page authoring. 2. BazarImportAction::run() calls $this->checkSecuredACL() with the default $adminOnly=true. Only wiki admins (or accounts the admin has added to the bazarimport action ACL) can execute it. 3. The importentries branch does NOT invoke CsrfTokenController::checkToken(...). Grepping tools/bazar/actions/BazarImportAction.php confirms the action class has no csrf or checkToken re

⚡ Watch CVE-2026-52777

Get an email if CVE-2026-52777 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-52777

CVE.org record

Embed the live status

CVE-2026-52777 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-52777 status](https://www.csirts.com/badge/CVE-2026-52777)](https://www.csirts.com/cve/CVE-2026-52777)