CVE-2026-52778
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk17th percentile — higher than 17% of all known CVEs
Summary
YesWiki is a wiki system written in PHP that prior to version 4.6.6 contained an unsafe execution vulnerability in the Bazar form field calculator (CalcField.php). The flawed implementation of sanitizing user-defined mathematical formulas leads to ReDoS vulnerabilities and allows arbitrary PHP code execution.
Risk Assessment
This vulnerability poses a significant risk to organizations as it can lead to server crashes and unauthorized code execution, jeopardizing the integrity and availability of the system.
Recommendation
It is recommended to upgrade to version 4.6.6 or later to mitigate this vulnerability and minimize the risk of unauthorized access to the system.
Original NVD description (English source)
YesWiki is a wiki system written in PHP. Prior to version 4.6.6, an unsafe execution vulnerability exists in the Bazar form field calculator (CalcField.php) of YesWiki. The application attempts to sanitize user-defined mathematical formulas using a complex recursive regular expression before passing them to the PHP eval() function. This implementation is inherently flawed: it is vulnerable to Regular Expression Denial of Service (ReDoS / Stack Overflow) which can crash the server, and it creates a high-risk architecture where any logic bypass directly results in arbitrary PHP code execution. Version 4.6.6 patches the issue.

