CVE Catalog

CVE-2026-52778

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.05%

17th percentile — higher than 17% of all known CVEs

Summary

YesWiki is a wiki system written in PHP that prior to version 4.6.6 contained an unsafe execution vulnerability in the Bazar form field calculator (CalcField.php). The flawed implementation of sanitizing user-defined mathematical formulas leads to ReDoS vulnerabilities and allows arbitrary PHP code execution.

Risk Assessment

This vulnerability poses a significant risk to organizations as it can lead to server crashes and unauthorized code execution, jeopardizing the integrity and availability of the system.

Recommendation

It is recommended to upgrade to version 4.6.6 or later to mitigate this vulnerability and minimize the risk of unauthorized access to the system.

Original NVD description (English source)

YesWiki is a wiki system written in PHP. Prior to version 4.6.6, an unsafe execution vulnerability exists in the Bazar form field calculator (CalcField.php) of YesWiki. The application attempts to sanitize user-defined mathematical formulas using a complex recursive regular expression before passing them to the PHP eval() function. This implementation is inherently flawed: it is vulnerable to Regular Expression Denial of Service (ReDoS / Stack Overflow) which can crash the server, and it creates a high-risk architecture where any logic bypass directly results in arbitrary PHP code execution. Version 4.6.6 patches the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS