GHSA-xc7j-3g8q-9vh4: YesWiki has stored XSS in Bazar form-field templates via unescaped field.label / field.hint (|raw('html'))
YesWiki's Bazar form-field templates contain stored cross-site scripting (XSS) vulnerabilities due to unsafe use of Twig's raw('html') filter on user-controllable field.label and field.hint values. These fields are populated from form definitions editable by users with high privileges (typically admins). The vulnerability allows injection of malicious HTML or event handlers in form attributes and label bodies, potentially affecting all users viewing the forms. The issue persists in multiple templates beyond those fixed in a prior commit. The CVSS 3.1 vector rates this as medium severity with a score of 4.7.
AI Analysis
Technical Summary
The vulnerability arises because Bazar form-field templates in YesWiki apply Twig's raw('html') filter to field.label and field.hint values without proper escaping or sanitization. The field.label is decoded from HTML entities back into raw characters, enabling injection of characters like quotes that break out of HTML attributes. Some templates use raw('html') combined with striptags, which removes tags but not quotes or event handlers, allowing attribute injection. Other templates use raw('html') without striptags, enabling direct tag injection. These fields are sourced from form definitions editable only by users with the 'saisie_formulaire' ACL, typically admins, but the XSS payload executes in the context of any viewer, including unauthenticated users. A prior fix addressed some templates but left at least seven others vulnerable, including base layout templates inherited by all Bazar field types. The vulnerability is tracked as CVE-2026-52772 and GHSA-xc7j-3g8q-9vh4.
Potential Impact
An attacker with high privileges (form editor/admin) can inject stored XSS payloads into form field labels and hints. These payloads execute in the security context of any user viewing the affected forms, including unauthenticated visitors, potentially leading to session hijacking, credential theft, or other client-side attacks. The scope is changed because the injection affects other users beyond the attacker. The CVSS score is 4.7 (medium), reflecting limited confidentiality and integrity impact but no availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The prior commit fixed some templates but left others vulnerable. Until an official fix is released, restrict form definition editing to trusted administrators only and audit existing form definitions for malicious content. Avoid using Twig's raw('html') filter on untrusted input without proper escaping or sanitization. Monitor the YesWiki project for updates addressing the remaining vulnerable templates.
GHSA-xc7j-3g8q-9vh4: YesWiki has stored XSS in Bazar form-field templates via unescaped field.label / field.hint (|raw('html'))
Description
YesWiki's Bazar form-field templates contain stored cross-site scripting (XSS) vulnerabilities due to unsafe use of Twig's raw('html') filter on user-controllable field.label and field.hint values. These fields are populated from form definitions editable by users with high privileges (typically admins). The vulnerability allows injection of malicious HTML or event handlers in form attributes and label bodies, potentially affecting all users viewing the forms. The issue persists in multiple templates beyond those fixed in a prior commit. The CVSS 3.1 vector rates this as medium severity with a score of 4.7.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises because Bazar form-field templates in YesWiki apply Twig's raw('html') filter to field.label and field.hint values without proper escaping or sanitization. The field.label is decoded from HTML entities back into raw characters, enabling injection of characters like quotes that break out of HTML attributes. Some templates use raw('html') combined with striptags, which removes tags but not quotes or event handlers, allowing attribute injection. Other templates use raw('html') without striptags, enabling direct tag injection. These fields are sourced from form definitions editable only by users with the 'saisie_formulaire' ACL, typically admins, but the XSS payload executes in the context of any viewer, including unauthenticated users. A prior fix addressed some templates but left at least seven others vulnerable, including base layout templates inherited by all Bazar field types. The vulnerability is tracked as CVE-2026-52772 and GHSA-xc7j-3g8q-9vh4.
Potential Impact
An attacker with high privileges (form editor/admin) can inject stored XSS payloads into form field labels and hints. These payloads execute in the security context of any user viewing the affected forms, including unauthenticated visitors, potentially leading to session hijacking, credential theft, or other client-side attacks. The scope is changed because the injection affects other users beyond the attacker. The CVSS score is 4.7 (medium), reflecting limited confidentiality and integrity impact but no availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The prior commit fixed some templates but left others vulnerable. Until an official fix is released, restrict form definition editing to trusted administrators only and audit existing form definitions for malicious content. Avoid using Twig's raw('html') filter on untrusted input without proper escaping or sanitization. Monitor the YesWiki project for updates addressing the remaining vulnerable templates.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-xc7j-3g8q-9vh4
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-52772"]
- Ecosystems
- ["Packagist"]
- Database Specific Severity
- MODERATE
- Cvss Version
- 3.1
Threat ID: 6a50ba7368715ace43580273
Added to database: 07/10/2026, 09:25:07 UTC
Last enriched: 07/10/2026, 09:55:14 UTC
Last updated: 07/10/2026, 13:05:56 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.