EXECUTIVE SUMMARY:
CVE-2026-46670 with a CVSS score of 9.8 describes an unauthenticated SQL injection vulnerability in the YesWiki Bazar form-import functionality, specifically within FormManager::create(), where user-controlled input is unsafely concatenated into an SQL INSERT statement without proper quoting or parameterization. This flaw allows any unauthenticated attacker to inject arbitrary SQL through crafted requests and read sensitive database contents, including user credentials and password hashes. Exploitation leverages SQL expression injection techniques using arithmetic operations combined with functions such as ASCII() and SUBSTRING() to exfiltrate data character-by-character via predictable numeric transformations in inserted records, ultimately enabling full database compromise and sensitive data exposure.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-46670 with a CVSS score of 9.8 describes an unauthenticated SQL injection vulnerability in the YesWiki Bazar form-import functionality, specifically within FormManager::create(), where user-controlled input is unsafely concatenated into an SQL INSERT statement without proper quoting or parameterization. This flaw allows any unauthenticated attacker to inject arbitrary SQL through crafted requests and read sensitive database contents, including user credentials and password hashes. Exploitation leverages SQL expression injection techniques using arithmetic operations combined with functions such as ASCII() and SUBSTRING() to exfiltrate data character-by-character via predictable numeric transformations in inserted records, ultimately enabling full database compromise and sensitive data exposure.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update yeswiki/yeswiki to version 4.6.5 or later.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-jwvv-qr7q-cv8j