GHSA-r5xw-gcgw-hwp5: YesWiki Vulnerable to Reflected XSS via Unescaped `id` Parameter in Bazar Widget HTML Attributes
YesWiki versions prior to 4.6.6 with the Bazar extension enabled are vulnerable to a reflected cross-site scripting (XSS) issue. The vulnerability arises because the `id` GET parameter is inserted into HTML attributes without proper escaping, using only `strip_tags()`, which does not neutralize double quotes. This allows attackers to inject arbitrary HTML attributes and JavaScript event handlers, leading to script execution in the victim's browser. The vulnerable endpoint is accessible without authentication or any access control checks, and does not require valid page tags or edit rights. An attacker can craft a URL that, when visited by a victim, triggers the injected script. This vulnerability is classified as CWE-79 and has a moderate severity rating.
AI Analysis
Technical Summary
YesWiki's Bazar widget handler reflects the `id` GET parameter into HTML attributes (`data-formid` and `data-iframeUrl`) using `strip_tags()` which only removes HTML tags but does not escape special characters like double quotes. This allows an attacker to break out of the attribute context and inject event handlers such as `onmouseover`, resulting in reflected XSS. The vulnerable route requires only the presence of the `id` parameter and the Bazar extension enabled; it performs no authentication or authorization checks. The vulnerability was confirmed on YesWiki version 4.6.5. The issue enables arbitrary JavaScript execution in the context of the YesWiki origin, affecting both unauthenticated and authenticated users.
Potential Impact
An attacker can execute arbitrary JavaScript in the browser of any user who visits a crafted URL on a vulnerable YesWiki instance with Bazar enabled. This can lead to theft of sensitive browser-accessible data, session hijacking, and actions performed on behalf of the victim. The vulnerability requires no authentication or permissions and affects public visitors and logged-in users alike. There is no indication of denial of service or server-side impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, users should consider disabling the Bazar extension if it is not needed or implement web application firewall (WAF) rules to detect and block suspicious requests targeting the `id` parameter in the widget route. Avoid exposing the vulnerable endpoint to untrusted users. Monitor official YesWiki channels for updates and apply official fixes once released.
GHSA-r5xw-gcgw-hwp5: YesWiki Vulnerable to Reflected XSS via Unescaped `id` Parameter in Bazar Widget HTML Attributes
Description
YesWiki versions prior to 4.6.6 with the Bazar extension enabled are vulnerable to a reflected cross-site scripting (XSS) issue. The vulnerability arises because the `id` GET parameter is inserted into HTML attributes without proper escaping, using only `strip_tags()`, which does not neutralize double quotes. This allows attackers to inject arbitrary HTML attributes and JavaScript event handlers, leading to script execution in the victim's browser. The vulnerable endpoint is accessible without authentication or any access control checks, and does not require valid page tags or edit rights. An attacker can craft a URL that, when visited by a victim, triggers the injected script. This vulnerability is classified as CWE-79 and has a moderate severity rating.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
YesWiki's Bazar widget handler reflects the `id` GET parameter into HTML attributes (`data-formid` and `data-iframeUrl`) using `strip_tags()` which only removes HTML tags but does not escape special characters like double quotes. This allows an attacker to break out of the attribute context and inject event handlers such as `onmouseover`, resulting in reflected XSS. The vulnerable route requires only the presence of the `id` parameter and the Bazar extension enabled; it performs no authentication or authorization checks. The vulnerability was confirmed on YesWiki version 4.6.5. The issue enables arbitrary JavaScript execution in the context of the YesWiki origin, affecting both unauthenticated and authenticated users.
Potential Impact
An attacker can execute arbitrary JavaScript in the browser of any user who visits a crafted URL on a vulnerable YesWiki instance with Bazar enabled. This can lead to theft of sensitive browser-accessible data, session hijacking, and actions performed on behalf of the victim. The vulnerability requires no authentication or permissions and affects public visitors and logged-in users alike. There is no indication of denial of service or server-side impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, users should consider disabling the Bazar extension if it is not needed or implement web application firewall (WAF) rules to detect and block suspicious requests targeting the `id` parameter in the widget route. Avoid exposing the vulnerable endpoint to untrusted users. Monitor official YesWiki channels for updates and apply official fixes once released.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-r5xw-gcgw-hwp5
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-52774"]
- Ecosystems
- ["Packagist"]
- Database Specific Severity
- MODERATE
- Cvss Version
- 3.1
Threat ID: 6a50ba7368715ace43580261
Added to database: 07/10/2026, 09:25:07 UTC
Last enriched: 07/10/2026, 09:54:44 UTC
Last updated: 07/10/2026, 09:54:44 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.