HIGH🇵🇱 Wersja polska

CVE-2026-34598

CVSS 7.1v4.0pub. 2026-04-02upd. 2026-04-10

YesWiki is a wiki system written in PHP. Prior to version 4.6.0, a stored and blind XSS vulnerability exists in the form title field. A malicious attacker can inject JavaScript without any authentication via a form title that is saved in the backend database. When any user visits that injected page, the JavaScript payload gets executed. This issue has been patched in version 4.6.0.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Yeswiki

    APP
    Yeswiki
    < 4.6.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XSS
CWE
References

Related vulnerabilities

CVE-2025-46348CRITICAL10.0PL ✓ten sam produkt

YesWiki — pominięcie uwierzytelnienia przy tworzeniu i pobieraniu kopii zapasowej

CVE-2024-51478CRITICAL9.9PL ✓ten sam produkt

YesWiki: słaby algorytm kryptograficzny umożliwia reset hasła dowolnego konta

CVE-2018-1000641CRITICAL9.8ten sam produkt

YesWiki version <= cercopitheque beta 1 contains a PHP Object Injection vulnerability in Unserialising user en...

CVE-2025-46349HIGH7.6ten sam produkt

YesWiki is a wiki system written in PHP. Prior to version 4.5.4, YesWiki is vulnerable to reflected XSS in the...

CVE-2025-31131HIGH8.6ten sam produkt

YesWiki is a wiki system written in PHP. The squelette parameter is vulnerable to path traversal attacks, enab...