How is CVE-2026-52778 exploited?

Network reachability (required): The vulnerable endpoint is reachable over the network; an attacker must be able to send HTTP requests to the YesWiki instance. Authentication (not-required): No account or credentials are needed to submit a formula to the calculator field. Victim interaction (not-required): The attacker submits the malicious payload directly; no user action on the target system is required. Attack complexity (info): Exploitation is condition-free and reliable; no race conditions, memory layout knowledge, or special environmental state is required.

What is the impact of CVE-2026-52778?

Executes arbitrary PHP code on the server, giving the attacker full control over the hosting process and its file system. Reads any data accessible to the web server process, including configuration files, secrets, and stored wiki content. Writes or deletes files on the server, enabling persistent backdoors or destruction of wiki data. Crashes the server process via a crafted regex input (ReDoS), causing a denial of service for all users of the wiki instance.

Back to search

CRITICALCVE-2026-52778Published 2026-06-08Modified 2026-06-09CNA GitHub_M

CVE-2026-52778: YesWiki has Unsafe eval() in Formula Calculator - Remote Code Execution (RCE) & Denial of Service (DoS)

YesWiki is a wiki system written in PHP. Prior to version 4.6.6, an unsafe execution vulnerability exists in the Bazar form field calculator (CalcField.php) of YesWiki. The application attempts to sanitize user-defined mathematical formulas using a complex recursive regular expression before passing them to the PHP eval() function. This implementation is inherently flawed: it is vulnerable to Regular Expression Denial of Service (ReDoS / Stack Overflow) which can crash the server, and it creates a high-risk architecture where any logic bypass directly results in arbitrary PHP code execution. Version 4.6.6 patches the issue.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A remote code execution vulnerability exists in YesWiki, a PHP-based wiki system, affecting all versions before 4.6.6. The Bazar form field calculator (CalcField.php) passes user-supplied mathematical formulas to PHP's eval() function after attempting to sanitize them with a regex that is itself vulnerable to catastrophic backtracking. An unauthenticated attacker reachable over the network can either bypass the regex to execute arbitrary PHP code or crash the server process through a ReDoS attack. A patched-image rebuild at version 4.6.6 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-52778 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle YesWiki or its dependencies.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 9.8 Critical and weighting it against each environment's compliance policy, then routing the alert to the appropriate team inbox within the customer organization.

Available

Patch

Because the description notes that version 4.6.6 patches this issue, a patched-image rebuild at that version becomes available on HarborGuard for any image found to carry an affected release. For customers with auto-remediation enabled, HarborGuard can trigger a rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is reachable over the network; an attacker must be able to send HTTP requests to the YesWiki instance.
AuthenticationNot required
No account or credentials are needed to submit a formula to the calculator field.
Victim interactionNot required
The attacker submits the malicious payload directly; no user action on the target system is required.
Attack complexityDetail
Exploitation is condition-free and reliable; no race conditions, memory layout knowledge, or special environmental state is required.

Blast Radius

Executes arbitrary PHP code on the server, giving the attacker full control over the hosting process and its file system.
Reads any data accessible to the web server process, including configuration files, secrets, and stored wiki content.
Writes or deletes files on the server, enabling persistent backdoors or destruction of wiki data.
Crashes the server process via a crafted regex input (ReDoS), causing a denial of service for all users of the wiki instance.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-52778 is active across all connected registries and CI pipelines the moment the CVE enters the upstream feed, with no manual configuration required per image. Because version 4.6.6 is the designated fix, a patched-image rebuild at that version is available for any image HarborGuard identifies as running an affected release of YesWiki. For customers with auto-remediation enabled, the typical flow produces a rebuilt image, a regression-test run, and a PR opened against affected workloads; for high-severity and critical issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. For customers who have not opted into auto-remediation, the finding appears in the vulnerability dashboard with the fix version noted so teams can act manually. Until an upgrade is applied, teams can consider restricting public access to the Bazar form calculator endpoint via network policy or a web application firewall rule as a compensating control.

See how HarborGuard automates this

Affected packages

YesWiki / yeswiki
< 4.6.6

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified