Aggregates CVE and security vulnerability intelligence across all yeswiki-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Disclosed issues often relate to vendor risk cross-site scripting, vendor risk sql injection, and vendor risk path handling; exposure may include vendor impact session compromise in vendor surface software deployment contexts.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-34598 | YesWiki is a wiki system written in PHP. Prior to version 4.6.0, a stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authentication via a form title that is saved in the backend database. When any user visits that injected page, the JavaScript payload gets executed. This issue has been patched in version 4.6.0. | [email protected] | 7.1 | 0.06% | 2026-04-02 | 2026-04-10 |
| CVE-2025-52277 | Cross Site Scripting vulnerability in YesWiki v.4.54 allows a remote attacker to execute arbitrary code via a crafted payload to the meta configuration robots field | [email protected] | 6.1 | 0.16% | 2025-09-09 | 2025-10-17 |
| CVE-2025-46550 | YesWiki is a wiki system written in PHP. Prior to version 4.5.4, the `/?BazaR` endpoint and `idformulaire` parameter are vulnerable to cross-site scripting. An attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the user’s session. This vulnerability may also allow attackers to deface the website or embed malicious content. This issue has been patched in versi | [email protected] | 4.3 | 0.45% | 2025-04-29 | 2025-05-09 |
| CVE-2025-46549 | YesWiki is a wiki system written in PHP. Prior to version 4.5.4, an attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the user’s session. This vulnerability may also allow attackers to deface the website or embed malicious content. This issue has been patched in version 4.5.4. | [email protected] | 4.3 | 0.39% | 2025-04-29 | 2025-05-09 |
| CVE-2025-46348 | YesWiki is a wiki system written in PHP. Prior to version 4.5.4, the request to commence a site backup can be performed and downloaded without authentication. The archives are created with a predictable filename, so a malicious user could create and download an archive without being authenticated. This could result in a malicious attacker making numerous requests to create archives and fill up the file system, or by downloading the archive which contains sensitive site information. This issue ha | [email protected] | 10.0 | 0.44% | 2025-04-29 | 2025-05-09 |
| CVE-2025-46350 | YesWiki is a wiki system written in PHP. Prior to version 4.5.4, an attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the user’s session. This vulnerability may also allow attackers to deface the website or embed malicious content. This issue has been patched in version 4.5.4. | [email protected] | 3.5 | 0.20% | 2025-04-29 | 2025-05-09 |
| CVE-2025-46349 | YesWiki is a wiki system written in PHP. Prior to version 4.5.4, YesWiki is vulnerable to reflected XSS in the file upload form. This vulnerability allows any malicious unauthenticated user to create a link that can be clicked on by the victim to perform arbitrary actions. This issue has been patched in version 4.5.4. | [email protected] | 7.6 | 0.54% | 2025-04-29 | 2025-05-09 |
| CVE-2025-46347 | YesWiki is a wiki system written in PHP. Prior to version 4.5.4, YesWiki vulnerable to remote code execution. An arbitrary file write can be used to write a file with a PHP extension, which then can be browsed to in order to execute arbitrary code on the server, resulting in a full compromise of the server. This could potentially be performed unwittingly by a user. This issue has been patched in version 4.5.4. | [email protected] | 5.8 | 3.97% | 2025-04-29 | 2025-05-09 |
| CVE-2025-46346 | YesWiki is a wiki system written in PHP. Prior to version 4.5.4, a stored cross-site scripting (XSS) vulnerability was discovered in the application’s comments feature. This issue allows a malicious actor to inject JavaScript payloads that are stored and later executed in the browser of any user viewing the affected comment. The XSS occurs because the application fails to properly sanitize or encode user input submitted to the comments. Notably, the application sanitizes or does not allow execut | [email protected] | 6.3 | 0.27% | 2025-04-29 | 2025-05-09 |
| CVE-2025-31131 | YesWiki is a wiki system written in PHP. The squelette parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. This vulnerability is fixed in 4.5.2. | [email protected] | 8.6 | 12.04% | 2025-04-01 | 2025-05-09 |
| CVE-2025-24019 | YesWiki is a wiki system written in PHP. In versions up to and including 4.4.5, it is possible for any authenticated user, through the use of the filemanager to delete any file owned by the user running the FastCGI Process Manager (FPM) on the host without any limitation on the filesystem's scope. This vulnerability allows any authenticated user to arbitrarily remove content from the Wiki resulting in partial loss of data and defacement/deterioration of the website. In the context of a container | [email protected] | 7.1 | 0.62% | 2025-01-21 | 2025-05-09 |
| CVE-2025-24018 | YesWiki is a wiki system written in PHP. In versions up to and including 4.4.5, it is possible for an authenticated user with rights to edit/create a page or comment to trigger a stored XSS which will be reflected on any page where the resource is loaded. The vulnerability makes use of the content edition feature and more specifically of the `{{attach}}` component allowing users to attach files/medias to a page. When a file is attached using the `{{attach}}` component, if the resource contained | [email protected] | 7.6 | 0.20% | 2025-01-21 | 2025-05-09 |
| CVE-2025-24017 | YesWiki is a wiki system written in PHP. Versions up to and including 4.4.5 are vulnerable to any end-user crafting a DOM based XSS on all of YesWiki's pages which is triggered when a user clicks on a malicious link. The vulnerability makes use of the search by tag feature. When a tag doesn't exist, the tag is reflected on the page and isn't properly sanitized on the server side which allows a malicious user to generate a link that will trigger an XSS on the client's side when clicked. This vuln | [email protected] | 7.6 | 0.29% | 2025-01-21 | 2025-05-09 |
| CVE-2024-51478 | YesWiki is a wiki system written in PHP. Prior to 4.4.5, the use of a weak cryptographic algorithm and a hard-coded salt to hash the password reset key allows it to be recovered and used to reset the password of any account. This issue is fixed in 4.4.5. | [email protected] | 9.9 | 0.16% | 2024-10-31 | 2025-05-09 |
| CVE-2021-43091 | An SQL Injection vlnerability exits in Yeswiki doryphore 20211012 via the email parameter in the registration form. | [email protected] | 7.5 | 0.15% | 2022-03-25 | 2024-11-21 |
| CVE-2018-13045 | SQL injection vulnerability in the "Bazar" page in Yeswiki Cercopitheque 2018-06-19-1 and earlier allows attackers to execute arbitrary SQL commands via the "id" parameter. | [email protected] | 9.8 | 2.64% | 2019-01-02 | 2024-11-21 |
| CVE-2018-1000641 | YesWiki version <= cercopitheque beta 1 contains a PHP Object Injection vulnerability in Unserialising user entered parameter in i18n.inc.php that can result in execution of code, disclosure of information. | [email protected] | 9.8 | 0.82% | 2018-08-20 | 2024-11-21 |