GHSA-qg78-vmvc-fhjw: YesWiki: SQL Injection possible through public Bazar entry-listing APIs via numeric `query`/`queries` filters
YesWiki versions prior to 4.6.6 have an unauthenticated SQL injection vulnerability in the public Bazar entry-listing APIs. The issue arises because numeric query filters are escaped but not properly validated or quoted, allowing attackers to inject boolean SQL expressions. This can lead to unauthorized inference of database contents via crafted queries. The vulnerability affects numeric Bazar fields such as number, range, and map latitude/longitude fields. No known exploits in the wild have been reported.
AI Analysis
Technical Summary
YesWiki's public Bazar entry-listing APIs accept numeric query filters via GET parameters without proper numeric validation or quoting. The vulnerable code escapes user input but inserts it directly into SQL numeric expressions, enabling injection of boolean SQL subqueries. This allows unauthenticated attackers to manipulate SQL queries and infer database information based on query results. The vulnerability is present in versions before 4.6.6 and affects routes with public access. The injection occurs in SearchManager::buildQueriesConditions() where numeric values are concatenated into SQL without proper validation.
Potential Impact
An unauthenticated attacker can perform SQL injection via numeric query filters in the public API, potentially allowing them to infer sensitive database information. The vulnerability does not require authentication and can be exploited remotely. The impact is limited to information disclosure (confidentiality) as the CVSS vector indicates no integrity or availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, restrict or disable public access to the vulnerable Bazar entry-listing APIs if possible. Avoid using numeric query filters in public API calls or implement strict numeric validation and quoting on inputs. Monitor vendor channels for official fixes.
GHSA-qg78-vmvc-fhjw: YesWiki: SQL Injection possible through public Bazar entry-listing APIs via numeric `query`/`queries` filters
Description
YesWiki versions prior to 4.6.6 have an unauthenticated SQL injection vulnerability in the public Bazar entry-listing APIs. The issue arises because numeric query filters are escaped but not properly validated or quoted, allowing attackers to inject boolean SQL expressions. This can lead to unauthorized inference of database contents via crafted queries. The vulnerability affects numeric Bazar fields such as number, range, and map latitude/longitude fields. No known exploits in the wild have been reported.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
YesWiki's public Bazar entry-listing APIs accept numeric query filters via GET parameters without proper numeric validation or quoting. The vulnerable code escapes user input but inserts it directly into SQL numeric expressions, enabling injection of boolean SQL subqueries. This allows unauthenticated attackers to manipulate SQL queries and infer database information based on query results. The vulnerability is present in versions before 4.6.6 and affects routes with public access. The injection occurs in SearchManager::buildQueriesConditions() where numeric values are concatenated into SQL without proper validation.
Potential Impact
An unauthenticated attacker can perform SQL injection via numeric query filters in the public API, potentially allowing them to infer sensitive database information. The vulnerability does not require authentication and can be exploited remotely. The impact is limited to information disclosure (confidentiality) as the CVSS vector indicates no integrity or availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, restrict or disable public access to the vulnerable Bazar entry-listing APIs if possible. Avoid using numeric query filters in public API calls or implement strict numeric validation and quoting on inputs. Monitor vendor channels for official fixes.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-qg78-vmvc-fhjw
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-52770"]
- Ecosystems
- ["Packagist"]
- Database Specific Severity
- HIGH
- Cvss Version
- 3.1
Threat ID: 6a50ba7468715ace43580333
Added to database: 07/10/2026, 09:25:08 UTC
Last enriched: 07/10/2026, 09:55:42 UTC
Last updated: 07/10/2026, 09:55:42 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.