CRITICAL
YesWiki
CVE published 2026-06-08
CVE-2026-52778
A critical vulnerability (CVSS Score: 9.8) exists in YesWiki's Bazar form field calculator (CalcField.php) prior to version 4.6.6. The application attempts to sanitize user-defined mathematical formulas using a complex recursive regular expression before passing them to the PHP eval() function. However, this implementation is flawed, making it vulnerable to Regular Expression Denial of Service (ReDoS / St [truncated]