Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-xc7j-3g8q-9vh4: YesWiki has stored XSS in Bazar form-field templates via unescaped field.label / field.hint (|raw('html'))

0
Medium
Published: 07/09/2026 (07/09/2026, 21:00:33 UTC)
Source: GCVE Database
Product: yeswiki/yeswiki

Description

YesWiki's Bazar form-field templates contain stored cross-site scripting (XSS) vulnerabilities due to unsafe use of Twig's raw('html') filter on user-controllable field.label and field.hint values. These fields are populated from form definitions editable by users with high privileges (typically admins). The vulnerability allows injection of malicious HTML or event handlers in form attributes and label bodies, potentially affecting all users viewing the forms. The issue persists in multiple templates beyond those fixed in a prior commit. The CVSS 3.1 vector rates this as medium severity with a score of 4.7.

CVSS v3.1

Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Affected software

Packagistghsa
yeswiki/yeswiki
Affected versions
<4.6.6

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/10/2026, 09:55:14 UTC

Technical Analysis

The vulnerability arises because Bazar form-field templates in YesWiki apply Twig's raw('html') filter to field.label and field.hint values without proper escaping or sanitization. The field.label is decoded from HTML entities back into raw characters, enabling injection of characters like quotes that break out of HTML attributes. Some templates use raw('html') combined with striptags, which removes tags but not quotes or event handlers, allowing attribute injection. Other templates use raw('html') without striptags, enabling direct tag injection. These fields are sourced from form definitions editable only by users with the 'saisie_formulaire' ACL, typically admins, but the XSS payload executes in the context of any viewer, including unauthenticated users. A prior fix addressed some templates but left at least seven others vulnerable, including base layout templates inherited by all Bazar field types. The vulnerability is tracked as CVE-2026-52772 and GHSA-xc7j-3g8q-9vh4.

Potential Impact

An attacker with high privileges (form editor/admin) can inject stored XSS payloads into form field labels and hints. These payloads execute in the security context of any user viewing the affected forms, including unauthenticated visitors, potentially leading to session hijacking, credential theft, or other client-side attacks. The scope is changed because the injection affects other users beyond the attacker. The CVSS score is 4.7 (medium), reflecting limited confidentiality and integrity impact but no availability impact.

Mitigation Recommendations

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The prior commit fixed some templates but left others vulnerable. Until an official fix is released, restrict form definition editing to trusted administrators only and audit existing form definitions for malicious content. Avoid using Twig's raw('html') filter on untrusted input without proper escaping or sanitization. Monitor the YesWiki project for updates addressing the remaining vulnerable templates.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-xc7j-3g8q-9vh4
Osv Schema Version
1.4.0
Aliases
["CVE-2026-52772"]
Ecosystems
["Packagist"]
Database Specific Severity
MODERATE
Cvss Version
3.1

Threat ID: 6a50ba7368715ace43580273

Added to database: 07/10/2026, 09:25:07 UTC

Last enriched: 07/10/2026, 09:55:14 UTC

Last updated: 07/10/2026, 13:05:56 UTC

Views: 2

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses