GHSA-px5m-h76g-p7p8: YesWiki has Unsafe eval() in its Formula Calculato, Leading to Remote Code Execution & Denial of Service
YesWiki versions prior to 4.6.6 contain a critical vulnerability in the Bazar form field calculator (CalcField.php) where user-defined formulas are validated by a complex recursive regular expression before being passed to PHP's eval() function. This approach is flawed, allowing attackers to cause a Denial of Service via PCRE stack overflow or potentially bypass validation to execute arbitrary PHP code remotely. The vulnerability impacts confidentiality, integrity, and availability of the affected system.
AI Analysis
Technical Summary
The vulnerability exists in the tools/bazar/fields/CalcField.php file within the formatValuesBeforeSave($entry) method. The application uses a recursive regex pattern to validate mathematical formulas before executing them with eval(). Due to the recursive nature of the regex, an attacker can craft deeply nested input that exhausts the PCRE recursion limit, causing a server crash (Denial of Service). Furthermore, if the regex validation is bypassed—through fuzzing, edge cases, or PCRE engine bugs—arbitrary PHP code can be executed with web server privileges, leading to full host compromise. The vulnerability affects all YesWiki versions prior to 4.6.6. No official patch or fix link is provided in the advisory, and the vendor has not confirmed remediation status.
Potential Impact
Successful exploitation can lead to high confidentiality impact by allowing attackers to read sensitive files such as /etc/passwd and configuration files. Integrity impact is high as attackers can modify application files, inject backdoors, or alter database content. Availability is also highly impacted due to the ability to crash the PHP process via a Regular Expression Denial of Service (ReDoS) attack, rendering the service unavailable.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, it is recommended to disable or avoid using the vulnerable Bazar form field calculator feature. Do not rely on regular expressions to sanitize input for eval(). Instead, replace the vulnerable code with a dedicated, safe Abstract Syntax Tree (AST) math parser or a secure expression language component that does not execute system context code.
GHSA-px5m-h76g-p7p8: YesWiki has Unsafe eval() in its Formula Calculato, Leading to Remote Code Execution & Denial of Service
Description
YesWiki versions prior to 4.6.6 contain a critical vulnerability in the Bazar form field calculator (CalcField.php) where user-defined formulas are validated by a complex recursive regular expression before being passed to PHP's eval() function. This approach is flawed, allowing attackers to cause a Denial of Service via PCRE stack overflow or potentially bypass validation to execute arbitrary PHP code remotely. The vulnerability impacts confidentiality, integrity, and availability of the affected system.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability exists in the tools/bazar/fields/CalcField.php file within the formatValuesBeforeSave($entry) method. The application uses a recursive regex pattern to validate mathematical formulas before executing them with eval(). Due to the recursive nature of the regex, an attacker can craft deeply nested input that exhausts the PCRE recursion limit, causing a server crash (Denial of Service). Furthermore, if the regex validation is bypassed—through fuzzing, edge cases, or PCRE engine bugs—arbitrary PHP code can be executed with web server privileges, leading to full host compromise. The vulnerability affects all YesWiki versions prior to 4.6.6. No official patch or fix link is provided in the advisory, and the vendor has not confirmed remediation status.
Potential Impact
Successful exploitation can lead to high confidentiality impact by allowing attackers to read sensitive files such as /etc/passwd and configuration files. Integrity impact is high as attackers can modify application files, inject backdoors, or alter database content. Availability is also highly impacted due to the ability to crash the PHP process via a Regular Expression Denial of Service (ReDoS) attack, rendering the service unavailable.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, it is recommended to disable or avoid using the vulnerable Bazar form field calculator feature. Do not rely on regular expressions to sanitize input for eval(). Instead, replace the vulnerable code with a dedicated, safe Abstract Syntax Tree (AST) math parser or a secure expression language component that does not execute system context code.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-px5m-h76g-p7p8
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-52778"]
- Ecosystems
- ["Packagist"]
- Database Specific Severity
- CRITICAL
- Cvss Version
- 3.1
Threat ID: 6a50ba7368715ace43580249
Added to database: 07/10/2026, 09:25:07 UTC
Last enriched: 07/10/2026, 09:54:14 UTC
Last updated: 07/10/2026, 19:47:32 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.