Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-r5xw-gcgw-hwp5: YesWiki Vulnerable to Reflected XSS via Unescaped `id` Parameter in Bazar Widget HTML Attributes

0
Medium
Published: 07/09/2026 (07/09/2026, 21:01:10 UTC)
Source: GCVE Database
Product: yeswiki/yeswiki

Description

YesWiki versions prior to 4.6.6 with the Bazar extension enabled are vulnerable to a reflected cross-site scripting (XSS) issue. The vulnerability arises because the `id` GET parameter is inserted into HTML attributes without proper escaping, using only `strip_tags()`, which does not neutralize double quotes. This allows attackers to inject arbitrary HTML attributes and JavaScript event handlers, leading to script execution in the victim's browser. The vulnerable endpoint is accessible without authentication or any access control checks, and does not require valid page tags or edit rights. An attacker can craft a URL that, when visited by a victim, triggers the injected script. This vulnerability is classified as CWE-79 and has a moderate severity rating.

CVSS v3.1

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected software

Packagistghsa
yeswiki/yeswiki
Affected versions
<4.6.6

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/10/2026, 09:54:44 UTC

Technical Analysis

YesWiki's Bazar widget handler reflects the `id` GET parameter into HTML attributes (`data-formid` and `data-iframeUrl`) using `strip_tags()` which only removes HTML tags but does not escape special characters like double quotes. This allows an attacker to break out of the attribute context and inject event handlers such as `onmouseover`, resulting in reflected XSS. The vulnerable route requires only the presence of the `id` parameter and the Bazar extension enabled; it performs no authentication or authorization checks. The vulnerability was confirmed on YesWiki version 4.6.5. The issue enables arbitrary JavaScript execution in the context of the YesWiki origin, affecting both unauthenticated and authenticated users.

Potential Impact

An attacker can execute arbitrary JavaScript in the browser of any user who visits a crafted URL on a vulnerable YesWiki instance with Bazar enabled. This can lead to theft of sensitive browser-accessible data, session hijacking, and actions performed on behalf of the victim. The vulnerability requires no authentication or permissions and affects public visitors and logged-in users alike. There is no indication of denial of service or server-side impact.

Mitigation Recommendations

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, users should consider disabling the Bazar extension if it is not needed or implement web application firewall (WAF) rules to detect and block suspicious requests targeting the `id` parameter in the widget route. Avoid exposing the vulnerable endpoint to untrusted users. Monitor official YesWiki channels for updates and apply official fixes once released.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-r5xw-gcgw-hwp5
Osv Schema Version
1.4.0
Aliases
["CVE-2026-52774"]
Ecosystems
["Packagist"]
Database Specific Severity
MODERATE
Cvss Version
3.1

Threat ID: 6a50ba7368715ace43580261

Added to database: 07/10/2026, 09:25:07 UTC

Last enriched: 07/10/2026, 09:54:44 UTC

Last updated: 07/10/2026, 09:54:44 UTC

Views: 2

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses